看看未来破解短信有多容易
Watch How Easy It Is to Hack the Future of Texting
1378字
2019-12-09 23:24
64阅读
火星译客

Ask practically any phone carrier, and they'll tell you that the future of smartphone features from texting to video calls is a protocol called Rich Communication Services. Think of RCS as the successor to SMS, an answer to iMessage that can also handle phone and video calls. Last month, Google announced it would begin rolling RCS out to its Messages app in all US Android phones. It's easy to imagine a near-future where RCS is the default for a billion people or more. But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a basket of worrisome vulnerabilities.

几乎所有的手机运营商都会告诉你,从短信服务到视频通话等智能手机的各类功能将会被一种名为富通信服务(Rich Communication Services)的协议所取代。富通信服务可以说是从其前身短讯服务演变而来的,后者是针对iMessage所构想的一种解决方案,同样可以用于处理普通电话和视频电话。上个月,谷歌宣布推出的富通信服务将面向全美市场所有安卓手机的短信应用。不难想象,在不久的将来,RCS将成为10亿人口甚至更大范围的默认选择。但当安全研究人员深入调查后,他们发现运营商和谷歌达成协议的途径存在一系列令人担忧的漏洞。

At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones. Those implementation flaws, the researchers say, could allow texts and calls to be intercepted, spoofed, or altered at will, in some cases by a hacker merely sitting on the same Wi-Fi network and using relatively simple tricks. SRLabs previously described those flaws at the DeepSec security conference in Vienna last week, and at Black Hat also showed how those RCS hijacking attacks would work in videos like the one below:

在周二于伦敦举行的黑帽安全会议上,德国安全咨询公司SRLabs揭发了手机运营商和谷歌在现代安卓手机中应用RCS所导致的一系列问题。研究人员表示,实施过程中的这些漏洞可能会使得短信和电话被随意拦截、欺骗或篡改,而在某些情况下,黑客们只需要在同一个Wi-Fi网络下,使用相对简单的技巧就能发现这些漏洞。SRLabs之前在上周于维也纳召开的DeepSec安全会议上阐述了这些漏洞,在Black Hat上也通过视频展示了这些RCS劫持攻击的操作流程,如下图所示:

SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.

SRLabs的研究员兼创始人卡斯滕·诺我之前就曾披露电话系统存在安全漏洞,他认为,在很多方面,RCS并不比SS7好多少。SS7作为使用了几十年的电话系统,目前运营商仍然将其用来打电话和发短信,但长期以来,人们都知道它很容易受到拦截和欺骗攻击。虽然使用端到端的基于互联网的加密工具,如iMessage和WhatsApp,避免了许多SS7存在的问题,但诺尔表示,RCS的实现过程中随之产生的缺陷使得其在安全性上与其有望取代的短信系统相比不具优势。

"You're going to be more vulnerable to hackers because your network decided to activate RCS," says Nohl. "RCS gives us the capability to read your text messages and listen to your calls. That's a capability that we had with SS7, but SS7 is a protocol from the '80s. Now some of these issues are being reintroduced in a modern protocol, and with support from Google."

“你将更容易受到黑客的攻击,因为你使用的网络会导致RCS被激活,”诺尔说。“RCS为我们获取你的短信及电话提供了途径。这是SS7所具备的功能,但SS7已经是80年代所达成的协议了。现在,在谷歌的支持下,现代协议又出现了部分相同的问题。”

The RCS rollout still has a ways to go, and will continue to be a patchwork even with Google's backing. Some Android manufacturers use proprietary messaging apps as the default rather than the stock Messages app, and most carriers push their own versions as well. The iPhone doesn't support it at all, and Apple has given no indication that it will. But as RCS rolls out more broadly, its security issues merit attention—especially since it's those implementations that create the problems in the first place.

离RCS被推出还有很长的路要走,即使有了谷歌的支持,这类服务仍然有待改善。一些安卓手机制造商把私有消息应用程序作为默认选择而非股票消息应用程序,而且其他许多运营商也纷纷推出其自主研发的应用程序。但iPhone手机根本无法支持运行,苹果公司也未作出正面回应。但是随着RCS的应用越来越广泛,其安全问题也同样值得关注——特别是为了实现这种服务最初所产生的问题。

The SRLabs videos demonstrate a grab bag of different techniques to exploit RCS problems, all of which are caused by either Google's or one of the phone carriers' flawed implementations. The video above, for instance, shows that once a phone has authenticated itself to a carrier's RCS server with its unique credentials, the server uses the phone's IP address and phone number as a kind of identifier going forward. That means an attacker who knows the victim's phone number and who is on the same Wi-Fi network—anyone from a coworker in the same corporate office to someone at the neighboring table at Starbucks—can potentially use that number and IP address to impersonate them.

SRLabs的视频演示了利用RCS漏洞的各种不同技术,所有这些问题都是由谷歌或手机运营商的缺陷实现引起的。例如,上面的视频显示,一旦手机使用其唯一的凭据向运营商的RCS服务器进行了身份验证,服务器就会通过手机的IP地址和电话号码形成一种标识符。这意味着,一旦攻击者知道受害者电话号码并且使用同一个Wi-Fi网络,就可以利用这个号码和IP地址冒充受害者,从同一公司办公室的同事到星巴克邻桌的某个人都有可能发起此类攻击。

Using a different technique, the researchers showed how an Android phone using RCS can be vulnerable to a man-in-the-middle attack. Whether it's a hacker controlling a malicious Wi-Fi network or an ISP or nation-state spies with access to an ISP's servers, an attacker can alter the domain name system request that the phone uses to find the RCS server that acts as the relay between senders and recipients of a message. SRLabs found that while Android's RCS-enabled messaging app checks to see if the server the phone is connecting to has a valid TLS certificate—in the same way your browser checks the validity of an HTTPS website—it will accept any valid certificate, even for the attacker's server.

研究人员使用了一种不同的技术,展示了使用RCS的Android手机如何容易受到中间人攻击。不管是黑客控制恶意wi - fi网络或ISP或民族国家间谍与ISP的服务器,攻击者可以改变手机用来查找在发送者和接收者之间传达信息的RCS服务器的域名系统请求。SRLabs发现,当Android的RCS消息应用程序检查手机连接的服务器是否具备合法的TLS证书时,它对任何合法证书都来者不拒,甚至是攻击者的服务器。

It's like a security guard who only checks if someone's ID matches their face, rather than if their name is on the approved list in the first place. "It's a really stupid mistake," adds Nohl.

这就像一个保安只检查一个人的身份证是否与他们的脸相匹配,而不是首先检查他们的名字是否在批准的名单上。“真是愚蠢透了,”诺我补充道。

The result is that the man-in-the-middle can intercept and alter messages at will, as shown in this video:

这种错误导致中间人可以随意截取和修改消息,如下面的视频所示:

Another attack takes advantage of a flaw in the initial setup for RCS devices. When a phone is first registered in the RCS system, it downloads a configuration file that contains the device's credentials. But to identify itself to the server and download that configuration file, a device only needs to have the IP address the carrier believes is meant to be associated with that device's phone number. Nohl points out, however, that any malicious app that ends up on a phone—even without special app permissions in Android—can reach out from the same IP address, steal the device's unique RCS credentials, and start impersonating it, as shown in the video below. That configuration file attack can be used even against someone who has never enabled RCS on their phone, Nohl points out.

另一种攻击方法利用了RCS设备初始设置中的某个缺陷。当手机首次在RCS系统中注册时,它会下载一个包含设备凭据的配置文件。但要想使服务器标识出自己并下载配置文件,你的设备只需拥有运营商认为与设备的电话号码相关的IP地址即可。然而,诺我指出,任何恶意应用程序,即使在android中没有特殊的应用程序许可,也可以从相同的IP地址进行访问,窃取设备唯一的RCS证书,并开始模仿它,如下面的视频所示。他还指出,这种配置文件攻击甚至可以用于从未在其手机上启用RCS的人。

In some cases, carriers try to guard against that attack by sending a one-time code to the user's device that they have to enter. But SRLabs found that some carriers failed to limit the number of tries at guessing that code; a hacker can try every possible number in just five minutes. "In five minutes we have your configuration file, and forever after we can listen to all your phone calls and read all your texts," Nohl says.

在某些情况下,运营商试图通过向用户的设备发送一次性密码来防范这种攻击。但SRLabs发现,一些运营商未能限制猜测代码的次数;黑客可以在五分钟内尝试所有可能的数字。“五分钟内我们就能得到你的配置文件,之后我们就可以监听你所有的电话,阅读你所有的短信,”诺我说。

All of these attacks become even more serious when RCS messaging is used as a second factor in two-factor authentication. In that case, RCS interception could allow hackers to steal one-time codes and gain access to other, even more sensitive accounts like email, as shown in this video:

当RCS消息传递被用作双因素身份验证中的第二个因素时,所有这些攻击将带来更加严重的后果。在这种情况下,RCS拦截可以使黑客窃取一次性代码,并获得访问其他带有敏感信息的帐户,如电子邮件,如本视频所示:

When WIRED reached out to the GSM Association phone carrier industry group and Google, the company responded with a statement thanking the researchers but arguing that "many of these issues have already been addressed"—it declined to say which ones—"and as part of our close collaboration with the ecosystem, we're actively advising partners as they resolve the remaining issues." The GSMA claimed that it already knew of the issues SRLabs highlighted, and that "countermeasures and mitigation actions are available" for carriers to fix their RCS flaws. Nohl countered that those fixes haven't been implemented yet for any of the issues SRLabs presented on at Black Hat.

当《连线》杂志试图联系GSM协会电话运营商行业集团和谷歌时,该公司发回了一份感谢研究人员的声明,但其认为“其中许多问题已经得到解决”——它拒绝透露是哪些问题——“作为我们与生态系统密切合作的一部分,我们正在积极建议合作伙伴解决剩余的问题。”GSMA声称,它已经明白SRLabs所强调的问题,而且运营商可以采取“对策和缓解措施”来修复RCS缺陷。诺尔反驳说,所有旨在应对SRLabs在黑帽大会上所提出的问题的修复措施都还没有实施。

The GSMA further argued that SRLabs had pointed out problems with the implementation of the RCS standard, rather than the standard itself. "The findings highlight issues with some RCS implementations but not every deployment, or the RCS specifications themselves, are impacted," the GSMA statement reads.

GSMA进一步指出,SRLabs指出了RCS标准的实施过程存在问题,而不是该标准本身。GSM协会在声明中写道:“这些发现使我们清楚地看到RCS的实施过程中出现的问题,但并不是每个环节或RCS标准本身都受到了影响。”

Nohl argues, however, that the existence of so many flaws in the standard's implementations is in fact a problem with the standard. "If you put out a new technology for a billion people, you should define the whole security concept. Instead RCS leaves a lot undefined, and telcos make a lot of individual mistakes when trying to implement this standard," Nohl says. "This is a technology being introduced quietly to over a billion people already. And it exposes them to threats they didn't have to worry about previously."

然而,诺我认为,该标准实施中存在如此多的缺陷实际上可以归咎于其标准本身的问题。“如果你为10亿人推出一项新技术,你应该将整个安全概念阐释清楚。相反,RCS积累了很多未经定义的东西,电信公司在试图实现这个标准时犯了很多个人错误,”诺尔说。他说:“随着这项技术悄无声息进入10多亿人的生活,他们开始面临以前不必担心的威胁。”

More Great WIRED Stories

《连线》杂志的更多精彩故事

  • 你需要了解的有关基因检测的一切
  • 一个编码大师的奇怪的生活和神秘的死亡
  • Alphabet打造“日常机器人”的梦想遥不可及
  • 2019愿望清单:你想为自己保留的52件礼物
  • 如何锁定您的健康和健身数据
  • 👁更安全的方式来保护你的数据;另外,还有关于人工智能的最新消息
  • 🏃🏽‍♀️想要最好的工具来获得健康吗?看看我们的装备团队挑选的最好的健身追踪器,跑步装备(包括鞋子和袜子),和最好的耳机。
0 条评论
评论不能为空