Experimental attack on mTAN

F-Secure reports (link in german) that the trojan SpyEye has a new attack on the mTAN online banking security system. Users of infected PCs are tricked into installing malware on their Symbian mobile phones.

In order to do so, the attacker needs the phone's IMEI number, which is not a security credential in itself, but a user should become suspicious nowadays if their bank wants to know their IMEI number. Therefore I suggest to categorize this attack as experimental.

The urgent question behind this is: why did the Symbian developers base the security of their operating system on IMEI numbers?

TrustZone and Trusted Execution Environment

This post describes a recent security addition to mobile phones. It has a superficial similarity to the trusted platform module (TPM). Because the TPM seems to cast doubt on anything "trusted" I will compare TrustZone and TPM.
TrustZone is a virtualization technology. The basic idea is that the processor can be switched between normal mode and secure mode. Because of the virtualization the normal mode is unaffected by the secure mode. The secure mode is based on the TrustZone. More technically, some peripherals and keys are only accessible from the secure mode.
The TPM did not use virtualization. There was no unaffected more. It became unclear whether the owner of the computer or the owner of the TPM keys was the real master of the computer.
TrustZone can and will be used to implement a DRM system. However, it won't enforce anything in the normal world. Thus people who do not like to use DRM, can simply ignore it.
Still, there is a feature that will be useful to everyone: The secure mode can be used to protect PIN entry or display of sensitive information from malware. There is hope that such a technology might disrupt the creation of a criminal ecosystem on mobile phones before it gets out of control like it happened on PCs.
The secure mode is typically started from the normal mode, for example because the user wants to enter a PIN. The smart card standardization organization Global Platform intends to standardize this API under the name Trusted Execution Environment. That's the other T-word from the title.

Malware on Android

As everyone reports: there has been malware on Google's Android market. I have to add that such a thing removes the remaining security from SMS-TANs or similar two factor authentication schemes. One way out of that problem would be to use an additional trusted execution environment on smart phones.

ZeuS attacks m-TAN

ZeuS e-crime toolkit now supports man in the mobile also. It seems that the malware on the PC tricks the user into installing malware on their phone with a classic social engineering manipulation.

The fraud is then straightforward: The trojan on the PC starts a transaction, the telephone malware grabs the m-TAN confirmation message and forwards it to the malware on the PC where the fraudulent transaction is completed.

This will become increasingly dangerous with the success of smartphones, which allow more attack vectors, in particular if the telephone is regularly connected to the PC, e.g. for synchronizing or charging.

I have written about this problem already one month ago.

Smartphones Not Ready for Mobile TANs

In the last weeks we had an outbreak of security issues with smart phones. The most famous was the pdf font bug that hit the iPhone and other iOS devices which was fixed by Apple with iOS 4.0.2. This one was really dangerous because it could infect iPhones just by opening an infective web site.

Then we had a rootkit for Android phones. A first criminal exploitation was a Trojan, also for Android, that sent text messages to premium numbers.

Of course there is much more. The reason for this is, of course, that there is no magical security for telephones. Old-style telephone-and-SMS-only phones were simply too dumb to be hacked (if we disregard the occasional bluetooth hack). Modern smartphones are normal computers that happen to contain a radio baseband chip.

However, we have that security feature M-TAN or Mobile TAN for online banking. When a M-TAN user has entered their transaction into the online banking website, they get a SMS with some details on the transaction and the M-TAN number. If the details of the transaction look good, they enter the M-TAN into the web site to complete the transaction.

So, here is the criminal master plan:

1. own as many PCs as you get
2. own as many smartphones as possible
3. match smartphones and PCs
4. start phony transactions on the PC
5. capture the resulting SMS
6. send the M-TAN to the Trojan on the PC
7. Profit

Sounds complicated, but if everyone has a backup of their smart phone on the PCs step 3 should be quite easy and the only remaining issue for the criminal is whether they find enough matches so that the plan is worth the effort.

A promising version of this plan would be to attack the smart phone via the infected PC. In iPhone speak this would be called the "trojan jailbreak". If this can be done without the user noticing it, the M-TAN is completely broken.

I don't recommend using M-TANs on a smartphone.

GSM Security Broken, Finally

It was well known for a long time that A5/1, the GSM encryption code is not secure. Now it has finally been broken. Nobody ever believed that our phone calls were safe from the secret services of this world. The issue is that now the calls and, even worse, SMSes are vulnerable to criminals, too. This is a problem M-TANs are used in online banking, for example.

But not all is lost: UMTS uses another algorithm, called MISTY or KASUMI, which is still considered safe. So, use M-TANs only if you have a 3G uplink.

PhoneSnoop Turns BlackBerries into Bugs

A simple BlackBerry program called PhoneSnoop will turn your BlackBerry into a bug. The attacker will install it on a BlackBerry he found lying around. Then calling the BlackBerry from a preconfigured telephone number will put the Balckberry into SpeakerPhone mode and all conversations near the affected BlackBerry can be overheard at the remote end of the call.

This is not a security issue of the BlackBerry operating system, because the root cause here is that the attacker had full control over the phone when he installed the software. For a minimum level of security, the BlackBerry should be configured to require a password ofter a short period of inactivity.

However, the morale here is that you shouldn't think "I don't have sensitive information on my telephone, so I don't need to secure it".