5

I'm looking into USSD messages for a project I'm currently working upon and hoping someone can shed some light into spoofing.

Firstly, I know it should be possible if you have the relevant information (correct IMSIs and global titles etc.) and access to a telco environment. But how easy is it for a malicious user to send out a spoofed USSD string? What sort of equipment will be required?

Polynomial
  • 135,049
  • 43
  • 306
  • 382
SomethingSmithe
  • 452
  • 3
  • 13
  • Well, it's coming up to 8 days since this question was asked and the bounty is due to expire soon. Does anyone have any suggestions on a better way to get this question answered? Or another site where it is likely to attract some mobile security experts? – SomethingSmithe Nov 15 '12 at 12:57

2 Answers2

1

I've never done this myself but it was done by Chris Paget at Defcon in 2010 successfully for an equipment cost of about $1500. You can find more information on what he did at the following links:

http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/

http://www.darkreading.com/security/news/226500010/researcher-intercepts-gsm-cell-phones-during-defcon-demo.html

http://www.theregister.co.uk/2010/08/02/gsm_cracking/

Nathan V
  • 331
  • 1
  • 8
1

According to the GSM Standards ALL Mobile Originated (MO) USSD requests to Service Codes in the range *100# to *499# must be routed to the originator's home HLR. (Requests to code *500# and above can in theory be handled by the VLR of the visited network and routed to a local USSD Gateway, enabling operators to, in theory, offer USSD services to in-roamers. However, this is rarely done.)

Upon receiving an MO request, the HLR should validate that the subscriber is active in its records and that the service code is valid and active. If those checks pass, the HLR should route the request via a USSD Gateway to the appropriate application. Only when that application responds positively to the request can a USSD session be established. Once a session is established between these parties then transactions can flow end to end.

The application that receives the request may perform its own validation during the session, eg. verifying the IMSI of the requestor or performing multi-phase authentication. However, it could be possible for someone to sniff on the radio interface or to hi-jack it entirely (ala Paget) and record these inputs for subsequent fraudulent use. Many USSD-based financial services use end-to-end encryption between a client (SIM toolkit or Java) on the handset and the application attached to the USSD Gateway. This is the only way of guaranteeing the security of such services.

Network Initiated (NI) USSD poses a greater risk in that it can originate from outside the home network. In this case a USSD session is pushed to a subscriber's handset and may appear as if it is coming from their home network. For this reason many MNOs block NI USSD coming from outside the network but this is not effective when their subscribers roam out.

While roaming in a foreign network, a subscriber may see an advert promising a cool service if they send SMS to an international MSISDN. When they send the SMS, a USSD session may be pushed to their handset. Such a session may not have any sinister purpose but it is not within the control of the recipient's home operator.

John Hurley
  • 11
  • 1