Transcription
Sending out an SMS:Characterizing the Security of theSMS Ecosystem with PublicGatewaysBradley Reaves, Nolen Scaife, Dave Tian, LoganBlue, Patrick Traynor, Kevin R. B. ButlerFlorida Institute of Cyber Security (FICS)
SMS EcosystemCell NetworkKeyEncryptedCoreCoreESMEGatewayCloudSMSCNot EncryptedOver lerWebServicesSMS is no longer a simple isolated channelIt has a broad attack surfaceWhat is lost when a part of the ecosystem is compromised?Florida Institute of Cyber Security (FICS)2
Public Gateway Data: 380k messagescollected from 8 publicgateways in 28 countries over14 months These websites advertisethemselves as a way to avoidspam or unwanted callers We’ll divide our analyses intouses and abusesFlorida Institute of Cyber Security (FICS)3
EthicsThe paper features an extensive ethics discussion The bulk of this data is sent to gateways by institutions,but the data also includes personal messages and PII This is already public data, and it is clear to users thatthis data will always be public We cannot and do not attempt to deanonymize,track, identify, exploit, or otherwise use thepersonal information of any users and wesystematically exclude personal messagesFlorida Institute of Cyber Security (FICS)4
OTP / Verification CodesFirst two digitsLINENo Leading 0’sWeChatrand() 4 mod10000Talk2?Final two digitsFlorida Institute of Cyber Security (FICS)5
OTP / Verification 5270.6980.0860.4270.0040.9810.3950.022Effect Size LargeLargeLargeLargeLargeMediumLargeLargeMean 73949469754925010512458543563TABLE V: The results of our statistical analysis of authentication codes from each service. Some services appear morethan once in the data because their messages were split intoFlorida Institute of Cyber Security (FICS)the above chi-square test, the service’s codes eachspecific pattern. We mapped the first two digits of ewith the back two digits and show these two servicein Figure 3.WeChat. Until April 2015, WeChat’s authenticatfollowed a pattern of rand() 16 mod 10000, whithe stair-step offset-by-16 heatmap in Figure 3a. Tcould be explained by a random number generatorentropy in the four least significant bits. Thisreduced the possible space of 4-digit codes to 6252015, WeChat changed its code generation algorithmoved the 625 known-pattern codes from the WeChrecomputed the chi-square entropy test. The p-valueto 0.761 with statistical power and effect size of0.423, respectively, indicating that the new algorithmproducing uniformly-random codes.Talk2. This service has an extreme lack of entrocode-generation algorithm, as seen in Figure 3b. Init appears to avoid digits 0, 1, 2, 5, and 8 in positionof a 4-digit code. We made several attempts to reprentropy pattern, but we were unable to produce a rexplanation for this dramatic reduction in entropy.Google. While the Google codes we harvested didto be uniformly-random in our experiments, this appcaused by duplicate codes. When requesting that aresent, Google will send the same code again. This potentially problematic because it indicates that tcodes have a long lifetime. Since messages on gate6be accessible for weeks or months, it may be possiχ-squared test forrandom distributionof PINs13 Services fail to send arandom code each message
Misuse: PII in SMSPassword ResetsUsernames and PasswordsNames and AddressesCredit Card NumbersAll sent over a channelbelieved to be secureFlorida Institute of Cyber Security (FICS)7
Abuse: Spam and Phishing 1% of messages were spam We identified one long-runningSMS phishing campaign Malicious SMS activity is a real butrelatively small phenomenonFig. 7: The page delivered to the user after following a linkprovided in a phishing SMS. The site refuses any usernameand password combination provided and displays the errorshown in this figure.spam filtering and that this problem may no longer be as severeas it once was.Bradley Reaves, Dave Tian, Logan Blue, Patrick Traynor, and Kevin R. B. Butler “DetectingTakeaways at WiSec July 2016SMS spam in the age of legitimate bulk messaging” toD.appearFlorida Institute of Cyber Security (FICS)In this section, we explored malicious uses of the SMSchannel. First, we discussed how our data shows the prevalence8TAURforUR
Phone Verified AccountsFlorida Institute of Cyber Security (FICS)9
Abuse: Geo-Fencing Messages tonumbers incountries areoften viewedoutside of thosecountries.Number Locations Shortened URLservices providecountry-levelstatistics.URL ClicksFlorida Institute for Cyber Security (FICS)10
Abuse: Phone Verified AccountsLifetime Midpointgateways advertise as ameans of evading PVAsystems. Skew and kurtosiscalculations show rapiduse when numbers areintroduced, followed byrapid decline.Florida Institute for Cyber Security (FICS)Peak Sharpness Many of theseEarlyLateActivity Peak11
Phone Verified AccountsThomas et al. (CCS ’14) suggested 3 defenses:1. Have users reverify often Our numbers have a median life of 20 days2. Block numbers in low-reputation carriers Most of our numbers are in reputable carriers3. Block similar numbers 40% of numbers were similar, but only in mobilecarriersPVA Evasion is hard to detect or preventFlorida Institute of Cyber Security (FICS)12
Takeaways Online gateways give us insight into how SMS is usedand abused in the modern SMS ecosystem Organizations regularly use SMS as a secure channel forsensitive information despite risks of compromise Gateway data provides insights into spam, phishing, andphone verified account fraudFlorida Institute of Cyber Security (FICS)13
Florida Institute of Cyber Security (FICS)14
Dr.Web 62 ESET 6 Emsisoft 23 Fortinet 31 Google Safebrowsing 15 Kaspersky 3 Malekal 3 Malware Domain Blocklist 20 Malwarebytes hpHosts 1 ParetoLogic 54 Phishtank 1 Quttera 2 SCUMWARE.org 4 Sophos 28 Spam404 3 Sucuri SiteCheck 94 TrendMicro 1 Trustwave 55 Web Security Guard 1 Websense ThreatSeeker 81 Webutation 2 Yandex Safebrowsing 1
