Phone Numbers Are Enough to Access User Accounts on Some Mobile Operator Portals
Researcher reveals trivial authentication bypass vulnerability that could allow attackers to make purchases from mobile subscriber accounts
Wed, September 19, 2012
IDG News Service — Attackers could impersonate legitimate mobile users on the Web portals many mobile operators use to sell content and services to their customers because of a security flaw in the sites, according to Bogdan Alecu, an independent security researcher from Romania.
The attacker only needs to know a user's phone number in order to exploit the vulnerability and buy games, ringtones, wallpapers or service subscriptions through the user's account on operators' WAP (Wireless Application Protocol) and Web portals, Alecu said.
The security researcher claims to have discovered the authentication bypass vulnerability in the websites of many mobile operators back in January.
The WAP and Web portals of 20 operators from Romania, Germany, Austria, Italy, France, Poland, the U.K., Brazil and the Netherlands were tested and around 15 of them were found to be vulnerable in one way or another, Alecu said.
The vulnerability stems from the fact that many such websites authenticate users automatically based on special HTTP headers sent by mobile browsers or added by the operator's proxy server when the phone's data connection is used.
Alecu found that he can gain access to another subscriber's online account by forcing his browser to send HTTP headers that contained that subscriber's phone number instead of his own. He calls this an HTTP headers pollution attack.
To test this attack, the researcher used Mozilla Firefox running on his laptop because Firefox has extensions that allow sending custom headers and spoofing the user-agent strings to masquerade as a mobile browser.
In some cases, for the attack to work, the browser had to be configured to use the mobile operator's proxy server, which is publicly known, before accessing its website, Alecu said.
Sometimes the attack worked using the computer's existent Internet connection. However, in other cases, launching a successful attack required buying a SIM card from the targeted operator, plugging it into a 3G modem and connecting the computer through that.
That's because some operators block access to their portals from IP addresses that are not from their own networks.
However, in the absence of a SIM card, this restriction can be bypassed by connecting through the legacy dial-up services known as Circuit Switched Data (CSD) still offered by some operators, Alecu said. The researcher first connected to a voice-over-IP service that supports caller ID spoofing and then called the operator's dial-up number to get on its network.
What can be done once you gain access to a user's account depends on what kind of services the targeted operator offers on its website, Alecu said.
In addition to buying premium rate content, some operators offer the ability to recharge a prepaid SIM card from a mobile user's online account. Other operators use separate accounts for such operations, that are protected by a username and password.
The portal of a mobile operator from China even allowed users to perform online banking transactions if they had a particular service enabled, the researcher said. That was probably the result of a partnership between the operator and a number of banks.
Another issue is that while some operators notify users of purchases made from their accounts via SMS, others don't, Alecu said. In the latter situation, users will probably only notice the fraudulent charges at the end of the month, when they appear on their monthly bill.
None of the tests performed while investigating this vulnerability resulted in actual fraud, Alecu said. The researcher claims to have used prepaid SIM cards that he bought from the operators in most of his tests.
However, obtaining prepaid SIM cards for operators from some countries can't easily be done over the Internet and requires a photo ID, Alecu said. In those cases, only the ability to access other accounts was tested, but no actions that could have resulted in those accounts being charged were performed, he said.
The security weakness was reported privately to operators back in March and many of them have already addressed it, Alecu said.
The researcher declined to publicly name any of the affected operators, saying that it's not his intention to discredit them. However, the GSM Association (GSMA), an organization that represents the interests of mobile operators worldwide, was notified and issued a security alert to its members, he said.
"The GSMA was notified of Bogdan Alecu's research in April 2012 by a GSMA member," GSMA spokeswoman Claire Cranton said Monday via email. "Shortly after this (April 20th) the GSMA notified its members of Mr. Alecu's research and provided a copy of his paper with a recommendation that GSMA members check their exposure to the reported vulnerability and we advised that the countermeasures recommended by Mr. Alecu be adopted if the vulnerability was found."
Alecu is satisfied with how promptly most operators handled the issue after being notified. This is in contrast to his experience from last year, when he reported a vulnerability in SIM Toolkits -- special applications programmed on SIM cards -- that he claims remains largely unfixed to this day.
That said, the researcher didn't know how many operators from around the world are still vulnerable to the new attack. For example, Alecu didn't manage to test the websites of any U.S. operators because he had difficulties obtaining prepaid SIM cards from them that had international data roaming enabled.
Not all of the notified operators entirely fixed the problem, Alecu said. For some of them, the dial-up attack method still works.
In addition, many operators have partnerships with third-party content providers and this attack might still work on the websites of those partners, he said.
Alecu presented his discovery in detail at the EUSecWest security conference in Amsterdam on Wednesday and hopes that other people will test which operators are affected and report their findings to them. He also advised concerned users to check if their own operators provide an option to disable access to premium-rate content.