Present at the EUSecWest security conference in Amsterdam, independent security researcher Bogdan Alecu has unveiled his findings on GSM vulnerabilities in a paper entitled “Using HTTP headers pollution for mobile networks attacks.”
The attacks he has demonstrated target the Wireless Application Protocol (WAP) and Web portals on which the customers of mobile operators can perform specific tasks such as money transfers, download content and subscribe to certain services.
“I have found a way to browse the dedicated page of mobile operators for their customers, while pretending to be any customer. This page is usually automatically set to open when you get your Internet settings on your phone,” Alecu told Softpedia just before the conference.
“For this exploit all I need to know is the target phone number. This number gets injected into the traffic by adding or modifying specific HTTP headers that are used by the operators for billing the right customer.”
Depending on the services offered by the carrier on these websites, cybercriminals can abuse the security holes for their own gain.
“Some allow you to buy ringtones, games, themes, subscribe to daily quotes or online streaming, others let you even change specific options for your number like setting a ring-back tone, recharge a prepay account, change Roaming status.
“And there are other operators that have exposed even online mobile banking services, which in general are tied to the customer's number. So, it really depends on what the operators chose to put on this dedicated page,” he noted.
“It's not much a criminal can do rather than making someone else to pay for his shopping. A criminal might also gain access to your private details (address, online subscriptions, email, etc). Of course, if we think about social engineering, then the danger is even higher.”
Apparently, there’s also a way for shady companies to take advantage of these flaws. Third-party mobile content providers can enter agreements with the carrier and secretly subscribe customers to their paid services.
However, this attack is risky because, as the expert highlights, victims will notice the fraudulent payments and report them.
A majority of the sites tested by the researcher – belonging to operators from all over the world – have been found to be vulnerable to the attack method he identified. But, before making his findings public, the researcher contacted all the affected companies and warned them of the risks.
“I have contacted all the operators that I've found to be vulnerable to such attack. Also thanks to one of them, I have reported the issue to GSM Association (GSMA) who has sent a warning to all of the mobile operators in the world,” he explained.
“What I really appreciated was that most of the operators have addressed these issues fast enough and generally I had a good communication with them.”
On the other hand, he reveals that not all of the affected companies have addressed these issues.
“Most of the problems seem to be with the 3rd party content providers as the operators need somehow to send to the 3rd party the number of their subscriber, when the user is redirected to their site - and usually this is done by HTTP headers,” Alecu noted.
As always, we’ve asked the expert to provide some pieces of advice for regular users on how they can protect themselves against such attacks. Unfortunately, similar to other research made by him – such as the SIM Toolkit attack – there’s not much that users can do.
Only the operator can fix the vulnerabilities and some of them have already started implementing additional security measures.
According to the researcher, in certain countries companies allow their customers to unsubscribe from any form of premium rate billing, but that’s not enough to prevent these attacks. Other carriers have implemented a system that warns users via SMS in case the mobile portal is accessed or content is downloaded.
However, additional solutions are needed to ensure that customers are completely protected.
“If you ask me, a first step would be to make the first line customer service report anything unusual to the 2nd or 3rd line when the customer complaints about a strange or wrong billing on his number, because generally I noticed a tendency to make the problem go away by accusing the customer of wrong usage of the phone,” he concluded.