Spoofing your IdentityBreaking Self Service Security Mechanisms

IT-SeCX 2016 04/11/2016

@slashcrypto

~$ id

• David Wind

• Bachelor degree in IT Security at the University of Applied Sciences St. Pölten

• Currently Master in Information Security

• Working for XSEC in Vienna (mainly doing Pentesting)

• Privacy enthusiast and bug bounty hunter

“Self Service Security Mechanisms”

© by slashcrypto

Self Service Security Mechanisms

• Password reset– Email

– Voice call, SMS

– Security question

• 2 Factor Authentication

• ...

Basically everything which can be used to identify you without the need of a human.

Bugs affecting SSSM

Facebook

● 6 digit PIN via SMS or Email ● Rate limiting on facebook.com

– Blocked after 10-12 attempts

● No rate limiting on beta.facebook.com and mbasic.beta.facebook.com

Facebook Password Reset PIN Bruteforce

http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

● Attacker initiates password reset● Ebay leaks “secret” token to attacker

What could possibly go wrong?!

Ebay Password Reset Vulnerability

http://yasserali.com/how-i-could-change-your-ebay-password/

http://yasserali.com/how-i-could-change-your-ebay-password/

Alice EbayMallory

Forgot password

Username/Email

Password reset link

Alice clicks link

Mallory intercepts request and saves “secret” token

Mallory changes password

What about Spoofing?

sendEmail -f "johann.haag@fhstp.ac.at" -t isXXXXXX@fhstp.ac.at -u "Noten" -s mail.XXX.XXX -o tls=yes -xu user@mail.XXX.XXX

-o message-header="From: Haag Johann <johann.haag@fhstp.ac.at>" -o reply-to="Haag Johann <johann.haag@fhstp.ac.at>"

-o message-file=email_haag.html -a noten.pdf

● Sender of E-Mails can be easily spoofed– Check the Sender Policy Framework (SPF) entry!

● Often used for Spam – normally no impact on SSSM

E-Mail Spoofing

Caller IDSpoofing

VOIP

● Business phone services mostly use VOIP to manage calls● Own phone service within business

– Open source Private Branch Exchange (PBX) (e.g. Asterix) can be used

– Direct inward dialing (DID) assigns every VOIP phone an individual phone number within a PBX

● VOIP made access to the phone network cheap and available for everyone

VOIP (Business)

Business

PBX

Phone1

PhoneX

Phone1

Phone2

Phone3

01555888-0

01555888-0

PSTN01555888-2

01555888-1

01555888-3

Business

PBX

Phone1

PhoneX

Phone1

Phone2

Phone3

01555888-0

01555777-7

PSTN01555888-2

01555888-1

01555888-3

01555888-3

There is one Problem ...

https://shubs.io/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/

● Enter phone number of the victim● Request voice call

– At the same time, call the victim so that the automated call gets redirected to the Voicemail

● Spoof Caller ID to access victims mailbox● Profit

Exploit Flow

Another Password Reset Vulnerability

● 26/09/2016 – Initial report● 28/09/2016 – Response (won't fix)● 28/09/2016 – Provided additional context due to the criticality of

the issue● 04/10/2016 – Accepted the issue – rolling out a fix● 04/11/2016 – FIXED

Reporting Timeline

What about Austrian Mobile Network

Operators ?

● A1 – Not vulnerable– Bob

– Yess

● DREI - Not vulnerable● T-Mobile - Vulnerable

– Telering

– HOT

– S-Budget

Voicemail Issues in Austria - TESTED

● T-Mobile Austria GmbH ATK Telekom und Service GmbH Allianz SIM● T-Mobile Austria GmbH AVIDO Telekommunikationsmanagement GmbH Avido● T-Mobile Austria GmbH DIALOG telekom GmbH & Co KG dialog● T-Mobile Austria GmbH HoT Telekom und Service GmbH HoT● T-Mobile Austria GmbH LTK Telekom und Service GmbH LIWEST Mobil● T-Mobile Austria GmbH Mundio Limited Delight mobile● T-Mobile Austria GmbH Mundio Mobile Austria Limited Vectone● T-Mobile Austria GmbH Russmedia IT GmbH VOLmobile● T-Mobile Austria GmbH Tele2 Telecommunication GmbH Tele2 Mobile● T-Mobile Austria GmbH T-Mobile Austria GmbH T-Mobile● T-Mobile Austria GmbH T-Mobile Austria GmbH tele.ring● T-Mobile Austria GmbH T-Mobile Austria GmbH s-budget

T-Mobile Austria GmbH

https://www.rtr.at/de/inf/KBericht2015/K-Bericht_2015.pdf

~ 3.5 mil. user affected

40.50%

28.00%

27.90%

3.60%

Austrian mobile network operators - Q4 2015

A1T-MobileHutchisonOthers

● Set a Voicemail password● Add user interaction before redirecting to Voicemail

– “Press # if you want to hear the security code”

● Configure a long welcome message

Possible Mitigations

● Mobile network security is poor (nothing new)– Voicemail issue is still wide spread

● Automated voice calls are a security risk regarding SSSM● You should be aware, that it is not too hard to spoof your identity

Conclusion

Q&A@slashcrypto

slashcrypto.org for the slides