SlideShare uma empresa Scribd logo

Eecs 2013-18

Hai Nguyen
Hai Nguyen
Tecnologia
1 de 7
Baixar para ler offline
Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling Jethro Beekman Christopher Thompson Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2013-18 http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-18.html March 19, 2013
Copyright © 2013, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.
1 Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling Jethro Beekman and Christopher Thompson Electrical Engineering and Computer Sciences University of California, Berkeley jbeekman@eecs.berkeley.edu, cthompson@cs.berkeley.edu Abstract T-Mobile has a service called “Wi-Fi Calling”, which lets users make and receive calls even when without cellular service. This service is pre-installed on millions of T- Mobile Android smartphones. We analyze the security aspects of this service from a network perspective, and demonstrate a man-in-the-middle attack caused by a lack of TLS certificate validation, allowing an attacker to eavesdrop and even modify calls and text messages placed using the Wi-Fi Calling feature. We have worked with T-Mobile to fix this issue, and, as of 18 March 2013, they report that all affected customers have received an update fixing this vulnerability. I. EXPERIMENTAL SETUP In order to analyze T-Mobile’s Wi-Fi calling system, we used the setup shown in Figure 1. A Wi-Fi calling enabled phone P is configured to use access point AP. AP does not have any wired connections and just acts as a wireless network switch. Another machine M connected to the same network is configured as a DHCP server and NAT router. This allows us record and control all Internet traffic to and from P. We captured several Wi-Fi calling sessions. During our experiments, all traffic on both network interfaces was captured using libpcap. Any TLS connections were intercepted by sslsniff [1] running on M. sslsniff hijacks a TLS connection request, connects to the remote endpoint itself and generates a certificate based on what it receives from that endpoint. The certificate is signed with any certificate we specify and subsequently sent back to the client. We modified sslsniff to output the master-secret and client-random parameters of all established connections so that the TLS traffic in our packet traces could be decrypted. This allowed us to see how TLS-encrypted messages relate chronologically to other packets. II. NETWORK ANALYSIS When first enabling Wi-Fi, the DNS conversation in Appendix A takes place, requesting a chain of information about wifi.msg.pc.t-mobile.com. Then, a TLS connection is established to the host and port returned by DNS. These are sba.sipgeo.t-mobile.com and 5061, which is the port number assigned by IANA for SIP-TLS. AP MP S Fig. 1. Wireless man-in-the-middle setup. (P) Phone. (AP) Access point. (M) Man-in-the-middle. (S) Service provider.
2 1) s:/C=US/ST=WA/L=Bellevue/O=Engineering/CN=IP i:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. IP Access Nano 3G CA 2) s:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. IP Access Nano 3G CA i:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. Root CA 3) s:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. Root CA i:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. Root CA Fig. 2. Certificate chain of sba.sipgeo.t-mobile.com:5061. The certificate chain returned by T-Mobile’s server is shown in Figure 2. Two things stand out: first, the common name of the first certificate is simply the IP address of the server; second, the self-signed root certificate is not included in standard Certificate Authority (CA) distributions. In fact, searching the web for the exact common name of the root yielded barely any results. This can meant that the root certificate was either built-in to T-Mobile’s client software, or they did not implement certificate validation correctly. In fact, the client does not seem to have any problems with sslsniff intercepting the connection, making us conclude the latter. Analysis of the binaries confirmed that there was no trace of the root certificate. As hinted at by the DNS records and the port number, a SIP [2] dialog is initiated when the TLS connection is established. The client identifies itself using its phone number, IMEI (International Mobile station Equipment Identity) and IMSI (International Mobile Subscriber Identity); see Appendix B for the full message. Further messages follow normal SIP behavior. For example, an INVITE message including the SDP [3] body is outlined in Appendix C, which includes the encryption key that will be used for the SRTP [4] connection. Using the decrypted SIP dialog, an attacker is now able to record all incoming and outgoing calls and text messages (collectively “SIP traffic”). He could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic. We verified the ability to record outgoing calls and incoming and outgoing text messages. We also verified the ability to change the destination phone number on outgoing calls by modifying sslsniff to change all occurrences of <sip:dest-phone#@msg.pc.t-mobile.com>, replacing a single target phone number by a different one. III. SOFTWARE ANALYSIS T-Mobile has open-sourced most of its Android IMS stack [5]. By exploring the source code, we found two vulnerable components in categories that Fahl et al. [6] have previously identified. TlsSocketFactory creates a TLS socket and assigns the TestTrustManager to check the validity of certificates. Figure 3 shows a shortened version of the function that verifies the certificates. Note that it does not use an API to extract the common name from the distinguished name and that the only check is whether the common name is in a set of allowed IP addresses. This set was previously initialized with the IP address of the remote endpoint. public void checkServerTrusted(X509Certificate[] chain) throws CertificateException { String name = chain[0].getSubjectDN().getName(); String address = name.replaceFirst("CN=", "").replaceFirst(",.*", ""); if (!getAllowedRemoteAddresses().contains(address)) throw new CertificateException("Wrong certificate subject"); } Fig. 3. Implementation of TestTrustManager::checkServerTrusted, which checks the validity of a TLS certificate.
3 IV. SCOPE In order to execute man-in-the-middle attacks, an attacker must be on the path of the target network traffic. If they are not already on the path, there are techniques for influencing the path to include the attacker. With ARP spoofing [7] the attacker tricks hosts into believing the attacker’s network interface has the router’s IP address. Obviously, the attacker can only use this if they are on an on-path network. If the attacker is not, they can use DNS cache poisoning [8], in which they trick a caching DNS resolver to cache an invalid address record for the service they want to attack. Other clients using this same resolver will now receive the malicious record when connecting to this service and will connect to the attacker instead. Man-in-the-middle attacks would not be as threatening if not for the proliferation of wireless technolo- gies such as Wireless LAN (802.11)—exactly the technology that Wi-Fi calling advertises in its name. In wireless networks, an attacker no longer needs physical access to invade a network. If an attacker can connect to the network they can try ARP spoofing. Or, if the attacker knows the network parameters, they can employ the ‘Evil Twin’ attack, in which they imitate a legitimate network and trick users into connecting to that network instead. Dai Zovi and Macaulay [9] demonstrated an extended version of this attack exploiting bugs in automatic network selection algorithms in common operating systems. Not all versions of T-Mobile Wi-Fi calling are necessarily vulnerable. According to T-Mobile’s website, the IMS stack is used on the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q. The authors have tested the attack on a Samsung Galaxy S Relay 4G and a Samsung Galaxy Note 2. It is likely that other modern T-Mobile Samsung Galaxy products are also vulnerable. Users of T-Mobile Wi-Fi calling for Business might not be vulnerable, since it uses GAN, not IMS technology [10]. V. PATCH AND UPDATES In December 2012, we notified T-Mobile of this vulnerability. Over the past months, they added proper certificate validation to the T-Mobile Wi-Fi Calling feature, so that it validates the identity of the remote endpoint using their self-signed root CA. As of 18 March 2013, T-Mobile reports that they have been able to push an update with this patch to all affected customers. We have independently verified that the update pushed to T-Mobile Android phones successfully prevents this attack. REFERENCES [1] M. Marlinspike, “sslsniff.” [Online]. Available: http://www.thoughtcrime.org/software/sslsniff/ [2] “SIP: Session Initiation Protocol,” IETF RFC 3261, June 2002. [Online]. Available: https://tools.ietf.org/html/rfc3261 [3] “SDP: Session Description Protocol,” IETF RFC 4566, July 2006. [Online]. Available: https://tools.ietf.org/html/rfc4566 [4] “The Secure Real-time Transport Protocol (SRTP),” IETF RFC 3711, March 2004. [Online]. Available: https://tools.ietf.org/html/rfc3711 [5] T-Mobile USA, Inc., “The IMS project for android.” [Online]. Available: https://code.google.com/p/the-ims-open-source-project-for- android/ [6] S. Fahl, M. Harbach, T. Muders, L. Baumg¨artner, B. Freisleben, and M. Smith, “Why Eve and Mallory love Android: an analysis of Android SSL (in)security,” in Proceedings of the ACM conference on Computer and communications security, 2012, pp. 50–61. [7] R. Siles. (2003) Real World ARP Spoofing. SANS. [Online]. Available: http://pen-testing.sans.org/resources/papers/gcih/real-world- arp-spoofing-105411 [8] S. M. Bellovin, “Using the domain name system for system break-ins,” in Proceedings of the 5th conference on USENIX UNIX Security Symposium, 1995. [9] D. A. Dai Zovi and S. A. Macaulay, “Attacking automatic wireless network selection,” in Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, June 2005, pp. 365–372. [10] Cisco Systems, Inc. (2010) T-Mobile Wi-Fi Calling for Business with Cisco Unified Wireless Network. Cisco Partner Solution Profile. [Online]. Available: http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns828/c22-638810-00 tMob sBrief.pdf APPENDIX A. Initial DNS conversation from Wi-Fi calling client > NAPTR wifi.msg.pc.t-mobile.com < NAPTR 100 10 S SIPS+D2T _sips._tcp.sba.sip.t-mobile.com
4 > SRV _sips._tcp.sba.sip.t-mobile.com < SRV 10 10 5061 sba.sipgeo.t-mobile.com > A sba.sipgeo.t-mobile.com < A <IP> > PTR <reverse(IP)>.in-addr.arpa < PTR m<hex(IP)>.tmodns.net B. Initial REGISTER message from Wi-Fi calling client REGISTER sip:msg.pc.t-mobile.com SIP/2.0 To: <sip:src-phone#@msg.pc.t-mobile.com> Max-Forwards: 70 Supported: 100rel, eventlist User-Agent: T-mobile TAS P-Last-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=ID#1 P-Access-Network-Info: IEEE-802.11; i-wlan-node-id=ID#2 P-Preferred-Identity: sip:src-phone#@msg.pc.t-mobile.com Call-ID: UUID#1@src-IP From: <sip:src-phone#@msg.pc.t-mobile.com>;tag=UUID#2 CSeq: 1 REGISTER Content-Length: 0 Via: SIP/2.0/TLS src-IP:src-port;branch=UUID#3 Contact: <sip:src-phone#@src-IP:src-port;transport=TLS>;expires=3600; reg-id=1;+sip.instance="<urn:gsma:imei:IMEI;svn=00>"; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"; +g.3gpp.smsip; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.e-location" Authorization: Digest username="IMSI@msg.pc.t-mobile.com", realm="msg.pc.t-mobile.com", nonce="", uri="sip:msg.pc.t-mobile.com", response="", algorithm=AKAv1-MD5 Privacy: none C. INVITE message for call originating from Wi-Fi calling client INVITE sip:dest-phone#@msg.pc.t-mobile.com;user=phone SIP/2.0 To: <sip:dest-phone#@msg.pc.t-mobile.com> Max-Forwards: 70 Supported: 100rel User-Agent: T-mobile TAS P-Early-Media: supported P-Last-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=ID#1 P-Access-Network-Info: IEEE-802.11; i-wlan-node-id=ID#2 Call-ID: UUID#1@src-IP From: <sip:src-phone#@msg.pc.t-mobile.com>;tag=UUID#2 CSeq: 1 INVITE Content-Length: size Via: SIP/2.0/TLS src-IP:src-port;branch=UUID#3 Contact: <sip:src-phone#@src-IP:src-port;transport=TLS>; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";
5 +sip.instance="<urn:gsma:imei:IMEI;svn=00>" Allow: INVITE, CANCEL, ACK, OPTIONS, BYE, PRACK, UPDATE, NOTIFY, REFER, MESSAGE Accept-Contact: *; +g.3gpp.icsi_ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"; +g.3gpp.smsip Content-Type: application/sdp v=0 o=- session-ID 1 IN IP4 src-IP s=- t=0 0 m=audio src-port RTP/SAVP 0 i=StreamMediaAudio c=IN IP4 src-IP a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:base64-encoded key (16B) and salt (14B) a=rtpmap:0 PCMU/8000 a=sendrecv

Recomendados

Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention International Journal of Science and Research (IJSR)
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacksApijay Kumar
 
Askozia VoIP Security white paper - 2017, English
Askozia VoIP Security white paper - 2017, EnglishAskozia VoIP Security white paper - 2017, English
Askozia VoIP Security white paper - 2017, EnglishAskozia
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
A017510102
A017510102A017510102
A017510102IOSR Journals
 
Spoofing
SpoofingSpoofing
SpoofingGreater Noida Institute Of Technology
 
Afcea 4 internet networks
Afcea 4 internet networksAfcea 4 internet networks
Afcea 4 internet networksPaul Strassmann
 
I P S P O O F I N G
I P S P O O F I N GI P S P O O F I N G
I P S P O O F I N Gavinashkanchan
 

Recomendados

Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention International Journal of Science and Research (IJSR)
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacksApijay Kumar
 
Askozia VoIP Security white paper - 2017, English
Askozia VoIP Security white paper - 2017, EnglishAskozia VoIP Security white paper - 2017, English
Askozia VoIP Security white paper - 2017, EnglishAskozia
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
A017510102
A017510102A017510102
A017510102IOSR Journals
 
Spoofing
SpoofingSpoofing
SpoofingGreater Noida Institute Of Technology
 
Afcea 4 internet networks
Afcea 4 internet networksAfcea 4 internet networks
Afcea 4 internet networksPaul Strassmann
 
I P S P O O F I N G
I P S P O O F I N GI P S P O O F I N G
I P S P O O F I N Gavinashkanchan
 
Ip spoofing & types of attachs using it
Ip spoofing & types of attachs using itIp spoofing & types of attachs using it
Ip spoofing & types of attachs using itRajesh Porwal
 
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET Journal
 
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherSpoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherPankaj Dubey
 
1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...Alexander Decker
 
V3I6-0108
V3I6-0108V3I6-0108
V3I6-0108Bhavana Sahni
 
WebRTC: Why and How?
WebRTC: Why and How?WebRTC: Why and How?
WebRTC: Why and How?stefansayer
 
ip spoofing
ip spoofingip spoofing
ip spoofingvipin soni
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PROIDEA
 
Linked in researchpaper
Linked in researchpaperLinked in researchpaper
Linked in researchpaperJuanRios179
 
ip spoofing
ip spoofingip spoofing
ip spoofingmohan babu
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofingarpit.arp
 
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET Journal
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing pptAnushakp9
 
TCP Vulnerabilities
TCP VulnerabilitiesTCP Vulnerabilities
TCP VulnerabilitiesPrakhar Bansal
 
Wi-Fi Direct P2P Messenger-Browser App
Wi-Fi Direct P2P Messenger-Browser AppWi-Fi Direct P2P Messenger-Browser App
Wi-Fi Direct P2P Messenger-Browser AppAnand Sekar
 
IRJET- Security from Man-In-The-Middle-Attack
IRJET- Security from Man-In-The-Middle-AttackIRJET- Security from Man-In-The-Middle-Attack
IRJET- Security from Man-In-The-Middle-AttackIRJET Journal
 
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...IOSR Journals
 
Advanced routing worm and its security challenges
Advanced routing worm and its security challengesAdvanced routing worm and its security challenges
Advanced routing worm and its security challengesUltraUploader
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
Thornton e authentication guidance
Thornton e authentication guidanceThornton e authentication guidance
Thornton e authentication guidanceHai Nguyen
 

Mais conteúdo relacionado

Mais procurados

Ip spoofing & types of attachs using it
Ip spoofing & types of attachs using itIp spoofing & types of attachs using it
Ip spoofing & types of attachs using itRajesh Porwal
 
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET Journal
 
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherSpoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherPankaj Dubey
 
1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...Alexander Decker
 
WebRTC: Why and How?
WebRTC: Why and How?WebRTC: Why and How?
WebRTC: Why and How?stefansayer
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introductionswang2010
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PROIDEA
 
Linked in researchpaper
Linked in researchpaperLinked in researchpaper
Linked in researchpaperJuanRios179
 
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET Journal
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing pptAnushakp9
 
Wi-Fi Direct P2P Messenger-Browser App
Wi-Fi Direct P2P Messenger-Browser AppWi-Fi Direct P2P Messenger-Browser App
Wi-Fi Direct P2P Messenger-Browser AppAnand Sekar
 
IRJET- Security from Man-In-The-Middle-Attack
IRJET- Security from Man-In-The-Middle-AttackIRJET- Security from Man-In-The-Middle-Attack
IRJET- Security from Man-In-The-Middle-AttackIRJET Journal
 
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...IOSR Journals
 
Advanced routing worm and its security challenges
Advanced routing worm and its security challengesAdvanced routing worm and its security challenges
Advanced routing worm and its security challengesUltraUploader
 

Mais procurados (20)

Ip spoofing & types of attachs using it
Ip spoofing & types of attachs using itIp spoofing & types of attachs using it
Ip spoofing & types of attachs using it
 
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
IRJET- Wireless LAN Intrusion Detection and Prevention System for Malicious A...
 
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many otherSpoofing attack: Learn about Email spoofing, IP address spoofing and many other
Spoofing attack: Learn about Email spoofing, IP address spoofing and many other
 
1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...1, prevalent network threats and telecommunication security challenges and co...
1, prevalent network threats and telecommunication security challenges and co...
 
V3I6-0108
V3I6-0108V3I6-0108
V3I6-0108
 
WebRTC: Why and How?
WebRTC: Why and How?WebRTC: Why and How?
WebRTC: Why and How?
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
Fortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_IntroductionFortinet_FortiDDoS_Introduction
Fortinet_FortiDDoS_Introduction
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
 
Linked in researchpaper
Linked in researchpaperLinked in researchpaper
Linked in researchpaper
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
IRJET- Detection of Spoofing and Jamming Attacks in Wireless Smart Grid Netwo...
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing ppt
 
TCP Vulnerabilities
TCP VulnerabilitiesTCP Vulnerabilities
TCP Vulnerabilities
 
Wi-Fi Direct P2P Messenger-Browser App
Wi-Fi Direct P2P Messenger-Browser AppWi-Fi Direct P2P Messenger-Browser App
Wi-Fi Direct P2P Messenger-Browser App
 
IRJET- Security from Man-In-The-Middle-Attack
IRJET- Security from Man-In-The-Middle-AttackIRJET- Security from Man-In-The-Middle-Attack
IRJET- Security from Man-In-The-Middle-Attack
 
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
Detection of Session Hijacking and IP Spoofing Using Sensor Nodes and Cryptog...
 
Advanced routing worm and its security challenges
Advanced routing worm and its security challengesAdvanced routing worm and its security challenges
Advanced routing worm and its security challenges
 

Destaque

Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaHai Nguyen
 
Thornton e authentication guidance
Thornton e authentication guidanceThornton e authentication guidance
Thornton e authentication guidanceHai Nguyen
 
B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...
B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...
B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...B com Expo | GL events Italia
 
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Hai Nguyen
 
Bullhorn slideshare
Bullhorn slideshareBullhorn slideshare
Bullhorn slideshareConor Doyle
 
Jamie Rentoul, Department of Health, CfWI Annual Conference 2013
Jamie Rentoul, Department of Health, CfWI Annual Conference 2013Jamie Rentoul, Department of Health, CfWI Annual Conference 2013
Jamie Rentoul, Department of Health, CfWI Annual Conference 2013C4WI
 
Rethinking workforce planning
Rethinking workforce planningRethinking workforce planning
Rethinking workforce planningC4WI
 

Destaque (8)

Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Thornton e authentication guidance
Thornton e authentication guidanceThornton e authentication guidance
Thornton e authentication guidance
 
B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...
B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...
B com 2014 | Autorevolezza e processo di relazione nel percorso verso l'e-com...
 
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02Privacypreservingauthenticationbiometrics 100228075830-phpapp02
Privacypreservingauthenticationbiometrics 100228075830-phpapp02
 
Bullhorn slideshare
Bullhorn slideshareBullhorn slideshare
Bullhorn slideshare
 
Mystery
MysteryMystery
Mystery
 
Jamie Rentoul, Department of Health, CfWI Annual Conference 2013
Jamie Rentoul, Department of Health, CfWI Annual Conference 2013Jamie Rentoul, Department of Health, CfWI Annual Conference 2013
Jamie Rentoul, Department of Health, CfWI Annual Conference 2013
 
Rethinking workforce planning
Rethinking workforce planningRethinking workforce planning
Rethinking workforce planning
 

Semelhante a Eecs 2013-18

A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfJessica Thompson
 
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKSPROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKSIJSRD
 
Impact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsImpact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
 
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and VulnerabilitiesMeletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and VulnerabilitiesMeletis Belsis MPhil/MRes/BSc
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
De-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxDe-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxIRJET Journal
 
GSM Security 101 by Sushil Singh and Dheeraj Verma
GSM Security 101 by Sushil Singh and Dheeraj VermaGSM Security 101 by Sushil Singh and Dheeraj Verma
GSM Security 101 by Sushil Singh and Dheeraj VermaOWASP Delhi
 
Seminar on Voip Challenges and Countermeasures
Seminar on Voip Challenges and Countermeasures Seminar on Voip Challenges and Countermeasures
Seminar on Voip Challenges and Countermeasures Deepak Mishra
 
Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Mumbai Academisc
 
Network Security & Attacks
Network Security & AttacksNetwork Security & Attacks
Network Security & AttacksNetwax Lab
 
Cellular wireless network security
Cellular wireless network securityCellular wireless network security
Cellular wireless network securityAnkit Anand
 
IRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET Journal
 
WLAN Penetration Examination of The University of Pembangunan Panca Budi
WLAN Penetration Examination of The University of Pembangunan Panca BudiWLAN Penetration Examination of The University of Pembangunan Panca Budi
WLAN Penetration Examination of The University of Pembangunan Panca BudiUniversitas Pembangunan Panca Budi
 
6 Steps to SIP trunking security
6 Steps to SIP trunking security6 Steps to SIP trunking security
6 Steps to SIP trunking securityFlowroute
 
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdfSecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdfSecurity Gen
 
Security Analysis and Improvement for IEEE 802.11i
Security Analysis and Improvement for IEEE 802.11iSecurity Analysis and Improvement for IEEE 802.11i
Security Analysis and Improvement for IEEE 802.11iinventionjournals
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsDR.P.S.JAGADEESH KUMAR
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesPositiveTechnologies
 

Semelhante a Eecs 2013-18 (20)

A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
 
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKSPROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
PROTOCOL ANALYSIS TO PREVENT STORM ATTACKS IN 3G MOBILE NETWORKS
 
Impact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail ApplicationsImpact of Flash Crowd Attack in Online Retail Applications
Impact of Flash Crowd Attack in Online Retail Applications
 
Public wifi
Public wifiPublic wifi
Public wifi
 
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and VulnerabilitiesMeletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
Meletis Belsis - Wireless Security: Common Protocols and Vulnerabilities
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
De-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali LinuxDe-Authentication attack on wireless network 802.11i using Kali Linux
De-Authentication attack on wireless network 802.11i using Kali Linux
 
GSM Security 101 by Sushil Singh and Dheeraj Verma
GSM Security 101 by Sushil Singh and Dheeraj VermaGSM Security 101 by Sushil Singh and Dheeraj Verma
GSM Security 101 by Sushil Singh and Dheeraj Verma
 
Paper1_Final
Paper1_FinalPaper1_Final
Paper1_Final
 
Seminar on Voip Challenges and Countermeasures
Seminar on Voip Challenges and Countermeasures Seminar on Voip Challenges and Countermeasures
Seminar on Voip Challenges and Countermeasures
 
Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)
 
Network Security & Attacks
Network Security & AttacksNetwork Security & Attacks
Network Security & Attacks
 
Cellular wireless network security
Cellular wireless network securityCellular wireless network security
Cellular wireless network security
 
IRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in ManetIRJET- A Survey on DDOS Attack in Manet
IRJET- A Survey on DDOS Attack in Manet
 
WLAN Penetration Examination of The University of Pembangunan Panca Budi
WLAN Penetration Examination of The University of Pembangunan Panca BudiWLAN Penetration Examination of The University of Pembangunan Panca Budi
WLAN Penetration Examination of The University of Pembangunan Panca Budi
 
6 Steps to SIP trunking security
6 Steps to SIP trunking security6 Steps to SIP trunking security
6 Steps to SIP trunking security
 
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdfSecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
SecurityGen-VoLTE-article-What's-wrong-with-fast-VoLTE-deployments.pdf
 
Security Analysis and Improvement for IEEE 802.11i
Security Analysis and Improvement for IEEE 802.11iSecurity Analysis and Improvement for IEEE 802.11i
Security Analysis and Improvement for IEEE 802.11i
 
New Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking ApplicationsNew Malicious Attacks on Mobile Banking Applications
New Malicious Attacks on Mobile Banking Applications
 
Telecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenesTelecom incidents investigation: daily work behind the scenes
Telecom incidents investigation: daily work behind the scenes
 

Mais de Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 

Mais de Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Eecs 2013-18

  • 1. Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling Jethro Beekman Christopher Thompson Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2013-18 http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-18.html March 19, 2013
  • 2. Copyright © 2013, by the author(s). All rights reserved. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.
  • 3. 1 Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling Jethro Beekman and Christopher Thompson Electrical Engineering and Computer Sciences University of California, Berkeley jbeekman@eecs.berkeley.edu, cthompson@cs.berkeley.edu Abstract T-Mobile has a service called “Wi-Fi Calling”, which lets users make and receive calls even when without cellular service. This service is pre-installed on millions of T- Mobile Android smartphones. We analyze the security aspects of this service from a network perspective, and demonstrate a man-in-the-middle attack caused by a lack of TLS certificate validation, allowing an attacker to eavesdrop and even modify calls and text messages placed using the Wi-Fi Calling feature. We have worked with T-Mobile to fix this issue, and, as of 18 March 2013, they report that all affected customers have received an update fixing this vulnerability. I. EXPERIMENTAL SETUP In order to analyze T-Mobile’s Wi-Fi calling system, we used the setup shown in Figure 1. A Wi-Fi calling enabled phone P is configured to use access point AP. AP does not have any wired connections and just acts as a wireless network switch. Another machine M connected to the same network is configured as a DHCP server and NAT router. This allows us record and control all Internet traffic to and from P. We captured several Wi-Fi calling sessions. During our experiments, all traffic on both network interfaces was captured using libpcap. Any TLS connections were intercepted by sslsniff [1] running on M. sslsniff hijacks a TLS connection request, connects to the remote endpoint itself and generates a certificate based on what it receives from that endpoint. The certificate is signed with any certificate we specify and subsequently sent back to the client. We modified sslsniff to output the master-secret and client-random parameters of all established connections so that the TLS traffic in our packet traces could be decrypted. This allowed us to see how TLS-encrypted messages relate chronologically to other packets. II. NETWORK ANALYSIS When first enabling Wi-Fi, the DNS conversation in Appendix A takes place, requesting a chain of information about wifi.msg.pc.t-mobile.com. Then, a TLS connection is established to the host and port returned by DNS. These are sba.sipgeo.t-mobile.com and 5061, which is the port number assigned by IANA for SIP-TLS. AP MP S Fig. 1. Wireless man-in-the-middle setup. (P) Phone. (AP) Access point. (M) Man-in-the-middle. (S) Service provider.
  • 4. 2 1) s:/C=US/ST=WA/L=Bellevue/O=Engineering/CN=IP i:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. IP Access Nano 3G CA 2) s:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. IP Access Nano 3G CA i:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. Root CA 3) s:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. Root CA i:/C=US/O=T-Mobile USA, Inc./CN=T-Mobile USA, Inc. Root CA Fig. 2. Certificate chain of sba.sipgeo.t-mobile.com:5061. The certificate chain returned by T-Mobile’s server is shown in Figure 2. Two things stand out: first, the common name of the first certificate is simply the IP address of the server; second, the self-signed root certificate is not included in standard Certificate Authority (CA) distributions. In fact, searching the web for the exact common name of the root yielded barely any results. This can meant that the root certificate was either built-in to T-Mobile’s client software, or they did not implement certificate validation correctly. In fact, the client does not seem to have any problems with sslsniff intercepting the connection, making us conclude the latter. Analysis of the binaries confirmed that there was no trace of the root certificate. As hinted at by the DNS records and the port number, a SIP [2] dialog is initiated when the TLS connection is established. The client identifies itself using its phone number, IMEI (International Mobile station Equipment Identity) and IMSI (International Mobile Subscriber Identity); see Appendix B for the full message. Further messages follow normal SIP behavior. For example, an INVITE message including the SDP [3] body is outlined in Appendix C, which includes the encryption key that will be used for the SRTP [4] connection. Using the decrypted SIP dialog, an attacker is now able to record all incoming and outgoing calls and text messages (collectively “SIP traffic”). He could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic. We verified the ability to record outgoing calls and incoming and outgoing text messages. We also verified the ability to change the destination phone number on outgoing calls by modifying sslsniff to change all occurrences of <sip:dest-phone#@msg.pc.t-mobile.com>, replacing a single target phone number by a different one. III. SOFTWARE ANALYSIS T-Mobile has open-sourced most of its Android IMS stack [5]. By exploring the source code, we found two vulnerable components in categories that Fahl et al. [6] have previously identified. TlsSocketFactory creates a TLS socket and assigns the TestTrustManager to check the validity of certificates. Figure 3 shows a shortened version of the function that verifies the certificates. Note that it does not use an API to extract the common name from the distinguished name and that the only check is whether the common name is in a set of allowed IP addresses. This set was previously initialized with the IP address of the remote endpoint. public void checkServerTrusted(X509Certificate[] chain) throws CertificateException { String name = chain[0].getSubjectDN().getName(); String address = name.replaceFirst("CN=", "").replaceFirst(",.*", ""); if (!getAllowedRemoteAddresses().contains(address)) throw new CertificateException("Wrong certificate subject"); } Fig. 3. Implementation of TestTrustManager::checkServerTrusted, which checks the validity of a TLS certificate.
  • 5. 3 IV. SCOPE In order to execute man-in-the-middle attacks, an attacker must be on the path of the target network traffic. If they are not already on the path, there are techniques for influencing the path to include the attacker. With ARP spoofing [7] the attacker tricks hosts into believing the attacker’s network interface has the router’s IP address. Obviously, the attacker can only use this if they are on an on-path network. If the attacker is not, they can use DNS cache poisoning [8], in which they trick a caching DNS resolver to cache an invalid address record for the service they want to attack. Other clients using this same resolver will now receive the malicious record when connecting to this service and will connect to the attacker instead. Man-in-the-middle attacks would not be as threatening if not for the proliferation of wireless technolo- gies such as Wireless LAN (802.11)—exactly the technology that Wi-Fi calling advertises in its name. In wireless networks, an attacker no longer needs physical access to invade a network. If an attacker can connect to the network they can try ARP spoofing. Or, if the attacker knows the network parameters, they can employ the ‘Evil Twin’ attack, in which they imitate a legitimate network and trick users into connecting to that network instead. Dai Zovi and Macaulay [9] demonstrated an extended version of this attack exploiting bugs in automatic network selection algorithms in common operating systems. Not all versions of T-Mobile Wi-Fi calling are necessarily vulnerable. According to T-Mobile’s website, the IMS stack is used on the Samsung Galaxy S II, HTC Amaze 4G, myTouch and myTouch Q. The authors have tested the attack on a Samsung Galaxy S Relay 4G and a Samsung Galaxy Note 2. It is likely that other modern T-Mobile Samsung Galaxy products are also vulnerable. Users of T-Mobile Wi-Fi calling for Business might not be vulnerable, since it uses GAN, not IMS technology [10]. V. PATCH AND UPDATES In December 2012, we notified T-Mobile of this vulnerability. Over the past months, they added proper certificate validation to the T-Mobile Wi-Fi Calling feature, so that it validates the identity of the remote endpoint using their self-signed root CA. As of 18 March 2013, T-Mobile reports that they have been able to push an update with this patch to all affected customers. We have independently verified that the update pushed to T-Mobile Android phones successfully prevents this attack. REFERENCES [1] M. Marlinspike, “sslsniff.” [Online]. Available: http://www.thoughtcrime.org/software/sslsniff/ [2] “SIP: Session Initiation Protocol,” IETF RFC 3261, June 2002. [Online]. Available: https://tools.ietf.org/html/rfc3261 [3] “SDP: Session Description Protocol,” IETF RFC 4566, July 2006. [Online]. Available: https://tools.ietf.org/html/rfc4566 [4] “The Secure Real-time Transport Protocol (SRTP),” IETF RFC 3711, March 2004. [Online]. Available: https://tools.ietf.org/html/rfc3711 [5] T-Mobile USA, Inc., “The IMS project for android.” [Online]. Available: https://code.google.com/p/the-ims-open-source-project-for- android/ [6] S. Fahl, M. Harbach, T. Muders, L. Baumg¨artner, B. Freisleben, and M. Smith, “Why Eve and Mallory love Android: an analysis of Android SSL (in)security,” in Proceedings of the ACM conference on Computer and communications security, 2012, pp. 50–61. [7] R. Siles. (2003) Real World ARP Spoofing. SANS. [Online]. Available: http://pen-testing.sans.org/resources/papers/gcih/real-world- arp-spoofing-105411 [8] S. M. Bellovin, “Using the domain name system for system break-ins,” in Proceedings of the 5th conference on USENIX UNIX Security Symposium, 1995. [9] D. A. Dai Zovi and S. A. Macaulay, “Attacking automatic wireless network selection,” in Proceedings from the 6th Annual IEEE SMC Information Assurance Workshop, June 2005, pp. 365–372. [10] Cisco Systems, Inc. (2010) T-Mobile Wi-Fi Calling for Business with Cisco Unified Wireless Network. Cisco Partner Solution Profile. [Online]. Available: http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns828/c22-638810-00 tMob sBrief.pdf APPENDIX A. Initial DNS conversation from Wi-Fi calling client > NAPTR wifi.msg.pc.t-mobile.com < NAPTR 100 10 S SIPS+D2T _sips._tcp.sba.sip.t-mobile.com
  • 6. 4 > SRV _sips._tcp.sba.sip.t-mobile.com < SRV 10 10 5061 sba.sipgeo.t-mobile.com > A sba.sipgeo.t-mobile.com < A <IP> > PTR <reverse(IP)>.in-addr.arpa < PTR m<hex(IP)>.tmodns.net B. Initial REGISTER message from Wi-Fi calling client REGISTER sip:msg.pc.t-mobile.com SIP/2.0 To: <sip:src-phone#@msg.pc.t-mobile.com> Max-Forwards: 70 Supported: 100rel, eventlist User-Agent: T-mobile TAS P-Last-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=ID#1 P-Access-Network-Info: IEEE-802.11; i-wlan-node-id=ID#2 P-Preferred-Identity: sip:src-phone#@msg.pc.t-mobile.com Call-ID: UUID#1@src-IP From: <sip:src-phone#@msg.pc.t-mobile.com>;tag=UUID#2 CSeq: 1 REGISTER Content-Length: 0 Via: SIP/2.0/TLS src-IP:src-port;branch=UUID#3 Contact: <sip:src-phone#@src-IP:src-port;transport=TLS>;expires=3600; reg-id=1;+sip.instance="<urn:gsma:imei:IMEI;svn=00>"; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"; +g.3gpp.smsip; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.e-location" Authorization: Digest username="IMSI@msg.pc.t-mobile.com", realm="msg.pc.t-mobile.com", nonce="", uri="sip:msg.pc.t-mobile.com", response="", algorithm=AKAv1-MD5 Privacy: none C. INVITE message for call originating from Wi-Fi calling client INVITE sip:dest-phone#@msg.pc.t-mobile.com;user=phone SIP/2.0 To: <sip:dest-phone#@msg.pc.t-mobile.com> Max-Forwards: 70 Supported: 100rel User-Agent: T-mobile TAS P-Early-Media: supported P-Last-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=ID#1 P-Access-Network-Info: IEEE-802.11; i-wlan-node-id=ID#2 Call-ID: UUID#1@src-IP From: <sip:src-phone#@msg.pc.t-mobile.com>;tag=UUID#2 CSeq: 1 INVITE Content-Length: size Via: SIP/2.0/TLS src-IP:src-port;branch=UUID#3 Contact: <sip:src-phone#@src-IP:src-port;transport=TLS>; +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel";
  • 7. 5 +sip.instance="<urn:gsma:imei:IMEI;svn=00>" Allow: INVITE, CANCEL, ACK, OPTIONS, BYE, PRACK, UPDATE, NOTIFY, REFER, MESSAGE Accept-Contact: *; +g.3gpp.icsi_ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"; +g.3gpp.smsip Content-Type: application/sdp v=0 o=- session-ID 1 IN IP4 src-IP s=- t=0 0 m=audio src-port RTP/SAVP 0 i=StreamMediaAudio c=IN IP4 src-IP a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:base64-encoded key (16B) and salt (14B) a=rtpmap:0 PCMU/8000 a=sendrecv