Broken Foundations

nixops
13 min readOct 24, 2020

--

This picture captures the foundation used for most modern applications and services.

*This article is for education purposes only. Some tools are not explicitly disclosed for liability issues. You can find them on your own and do your own research on them. DO NOT BREAK THE LAW, consult with counsel about laws in your jurisdiction. Also be mindful you may violate a Terms of Services for some providers in reproducing these attacks even against yourself.*

Registration

As pointed out in the Wardialing 2.0 article in this series, majority of services today rely on user phone registration. This is a terrible foundation as a setup flow but many of these companies use this model as a override for password resets as well. You can test this for each individual service of your liking. As pointed out in the previous entry in this series, there is a large number of problems with this approach for various types of individuals.

There are a number of problems with this approach as previously outlined but traditionally when phone phreaking was extremely useful we used to have to have boxes in order to obtain access to the phone numbers or to dial from in order to do reconnaissance. Reconnaissance was employed in order to gain useful information for gaining access to phone systems or computer networks. Another method employed by phreak, was social engineering. In current times, we can now bypass the reconnaissance as we have availability of tools that can help with obtaining access to your number for password resets or verification processes.

Companies have blindly switched to using a number registration model as it is implied that the person setting up the account for their service has a phone and it could be tracked back to a real person. As noted before, that is not always true. It is important to note that SMS is not encrypted, this means that they could be retrieved by an attacker with some proper planning. This applies to the reset messages as well. Remember, you signed up with your number, once they have this an adversary could employ a number of tactics to use these foundational processes against you.

The greatest and worst invention of all time for human beings.

SMS Fun

As SMS is not encrypted, it is important to note that you can simply capture this information intended for another phone through a variety of attack vectors. Another important factor points back to those contacts you may or may not even be in contact with anymore. As an adversary is more times than not, going to be someone you know or have had contact with this permits them to realistically already have your actual number. We are often much more likely to exchange our real numbers to people we know, but we also know there are risks with operations if you are running a business or actively involved in your community. There is also the issues as mentioned before with the number reuse, temporary numbers, and virtual number providers.

There are services that I will not link but you can spend a little time and a little bitcoin or monero for that can intercept a message intended for another phone number. I can not provide the names of these capture services but I can tell you that with a little digging on DuckDuckGo you can find them for yourself. They do work and for around $30.00 you can intercept a few messages intended for another number. This is a huge vulnerability, there are also some applications and tools you could run too if you are on the same WiFi network as the intended target, in this case it should be yourself as doing it to someone else is illegal. Do not break the law.

There is also one other often overlooked vector many are being annoyed with now in regards to politics. You may be receiving tons of SMS messages for donations, or getting out to vote. Some are from lists you may have signed up for and some are not. The one’s you are not subscribed to are the most interesting as these people have your subscriber number, they are also often times submitting links to you along with the request to donate. I will link the following unicode phishing information. Here is the example from the article, and obviously this is not Apple. That being said there are also a number of vulnerabilities that could be used against you if your phone like most are website preview enabled, this could allow for some JavaScript and remote services to retrieve metadata about your device and further help the attacker confirm your phone is active and number is good. Again this goes back to reconnaissance.

Knowing your number is active by getting preview invocation allows for better attack modeling.

Social media engineering

Your social media accounts, whether you want to consider them as valuable or not are a prime target for many attackers including spammers and adversaries. Adversaries could be a number of things including those that wish to exploit your contacts for financial gains, individuals who want to figure out the next rung in the latter of individuals to scam, and those that could just mean to be malicious to you. As businesses become more and more reliant on social media for customer engagement it has opened the door for many to rely on these services for much of their marketing as well. This poses a new set of problems, as mentioned the registration is still using phone numbers. Some permit Multi-Factor Authentication, but not all. Also note that 2FA aka Multi-Factor Authentication can greatly improve your account but it is not a silver bullet and you should not consider it as one. If you would like to circumvent such authentication measures, look in company’s support forums and you can learn quite a bit about their systems. Including how to circumvent them, as I have stated before the art of exploitation is 98% research, 1% fortitude, and 1% execution.

**DO NOT PERFORM THE FOLLOWING ATTACK AGAINST ANYONE, INCLUDING YOURSELF, NOTE THAT IN DOING THIS YOU MAY VIOLATE A SERVICES TERMS OF SERVICES. IN SOME CASES OF SUCH A VIOLATION YOU MAY LOSE YOUR ACCOUNT OR PRIVILEGE TO USE THE SERVICES.**

Instagram, Facebook, Twitter, and others are largely popular services for social media and messaging. While not all of these services require a phone number many do and many now have the email only flows only visible in desktop or hard to opt in to that process. As pointed out in the previous article there are risks here. As mentioned earlier we can sign up using the number registration. But for the sake of the attack description, let’s refer to our primary number as A, we will refer to our attacker’s number as B. This way there is some separation and it is easier to follow in how this attack process works.

On most(99.9%) of the services that allow your phone registration they will use this as an override in case you lose your password and access to your email. Meaning that if you lose access to your email and you want to reset your password, you can opt to have this message sent to your number and you will receive a reset text, here is an example from Instagram:

Just imagine if this was your Instagram password reset being intercepted.

As discussed earlier, there are ways to intercept messages that can be sent from these services to your number, many of them use a specific text coded number, these numbers can now be targeted with the aforementioned services to intercept the text to the target number. This is where user with number A, is then attacked by number B, without A ever being notified until after the fact when they may or may not receive the email notification. As email is not guaranteed remember that in current times most non business emails are not checked as frequently. Meaning it could be hours, or days until they realize it if they are not an active user or our busy with life, which an attacker may be aware of and used this information to do make their move.

All of these angles are very critical to operational security, as noted the attacker now has reset the account and in a lot of cases will change the email too. As they can choose duration of the intercepts from a number to a number, now they can effectively own the account. This means until you can prove to support of the service that you are the account owner, it could take time and during this time the attacker can access your dm’s and even impersonate you for gains or information gathering to be used against you. Now this is illegal, but it can be hard or impossible to prosecute dependent on jurisdiction differences as well as regions. This process could be used by stalkers, scammers, and adversaries for a number of reasons. Multi factor authentication should be enabled to prevent this, but as pointed out before there are circumvention tactics as well.

A sample yahoo change verification code sent via sms. Most email providers and vpn’s are vulnerable too. More on that in article 3.

Financial Systems

While I have briefly discussed the dangers of using SMS verification and setup for you social media services, it is important to remember that financial service providers are also using the same method for your mobile banking. This is subject to the same attack models previously listed. As this phone registration process was adopted as being the norm, it poses serious privacy concerns as well as dangers to all users that rely on these services. PayPal, Bank of America, Wells Fargo, and et al have all switched to this model for verification process of mobile application setup as well as password reset.

Plenty of services you use that have almost unbridled access to your credit and debit cards such as Uber, Lyft, DoorDash, Postmates, and others also use this registration process as well. They are also subject to such attacks. This is why the foundation of tech companies are extremely broken at this time. We have all supported them and migrated to this new way of doing things with extreme sacrifice. There is still more dangers as even credit monitoring applications and services may use this process too. This places individuals at extreme risks, yet the business is at very little risk of any ramifications of these actions. Even Equifax was hacked exposing almost every American’s credit details with a simple walk in the front door. SMS registration and reset models are the same as leaving the front door open to the individual.

How Equifax was actually hacked. No real hacking needed. Just walked through the door.

Trading applications have also made this jump, many do require a secondary authentication method, but they too can be circumvented. You can spend a few minutes in the forums of these services and understand how easily they can be circumvented and use the attack model described with the services to become whoever you want, but you will need their number. As pointed out, there are a number of ways for your number to be disclosed to an attacker and without your knowledge. These vectors are huge and these companies have done a great job in marketing as a secure way to invest, bank, buy goods, or services. In reality they are not. We the consumer feel the pain in the weaknesses in their system, even though we have no input in the design and implementations, these foundational cracks have been known for years, they are ignored so you can sign up easier and provide them your data to which they sell. This sold data is then able to be obtained to be used against you by an adversary, vicious cycle for us not them.

We give these companies so much power, yet they do little to control the exchange of our data and it’s security.

AWS, Azure, GCP, and more

As the world is becoming increasingly more reliant on cloud providers they are also increasingly becoming more reliant on SMS verification. In a security model where an employee signs up with company device and that number may only be disclosed to other businesses and customers, this could be perceived as a pretty safe model to use for registration on cloud services coupled with email. However, most do not force multi factor authentication during registration and many others do not even enforce it as a requirement. Which opens the door for an attack by clients, other businesses, or espionage on their infrastructure. While their safeguards to some level, the password reset bypass via text message is very common on these platforms too.

For posterity, I must include the verification, reset messages are also sent in this way.

As humans who run these companies and services on these platforms, it is likely your number will be disclosed and if an attacker is aware of your position they can use the above attack model to gain access to your infrastructure. This may not be the end of the world if you are using proper security models within the infrastructure, but if you are not using multi factor authentication and your number gets disclosed it is really irrelevant how secure you may have your infrastructure when the front door was left unlocked. This approach is important to remember, as we often get really interested into the deeper details we forget to lock the front door.

While an attacker may not be able to shell into your application, they could run up extreme bills, insert their own roles, and run services inside your infrastructure you may not be aware of for some time until after you reset your account. As most of these services have a root account, it can be quite easy to figure out who may have it as they are usually management. Which means you are more than likely on Zoom calls or giving your number out to clients and potential clients. Networking events are an attackers wet dream, this could open up hundreds of new avenues for them without the would be victims realizing it. This is a dangerous game of cat and mouse, often times where the mouse is just trying to earn a living.

Harsh reality that can and has happened to some tech startups.

How do we fix this?

To address these vectors we have to identify that our phones while providing a level of convenience we have never had before, with that convenience, comes a world of trade offs and security concerns. Computers are not easy to secure and phones are portable computers. Granted a phone may allow you to accept and make phone calls, but a lot of computers and applications do this now. The difference is the portability. The compromises we have allowed are eroding any form of security or the idea of it. We should approach things differently if we are to resolve these foundational problems.

One such solution is the use of public key validation for signing up for services. We do this with PGP, this model while it seems antiquated is actually fairly robust and secure. As a community we should strive to encourage this movement as well as help in designing services to use this. Simply put a user would create a public key for the service and be able to authenticate using said public key, all resets and changes can be validated against the public key. This process can easily be implemented and would cut down a large percentage of attack vectors on users. There would also be concerns of key loggers and such but those currently exist now for existing workflows.

Another method is to remove number registration, verification, and password reset bypass with numbers and rely on email. Email while it does seem like it is antiquated is still heavily relied on in the business world and in the consumer world. Keep in mind you may receive emails that state a password reset attempt was made, if it was you then click link, if not ignore. This is a good process. This informs the user and does not allow a bypass, but it is vulnerable to the strength of the user’s email password. As I have said before there is no silver bullet for software, there is no one size fits all solutions. There are plenty of better ways than what we are using now and some of them are the ways we used to do things.

There are always vulnerabilities, we just need to determine if the attack surface is large or small and mitigation is possible.

Conclusion

Security is complicated, phones are complicated, and software is complicated. We have attempted for so long to simplify each and every process that we have forgotten to take a step back and realize that their is huge cracks in the very foundation of the systems we have built. Is any of this new? No, if it was to you then I am glad that it has come to light. Are these discussions ever had in board meetings about how to change them? No. They are fundamental ways that users interact with services and businesses. It is now so ubiquitous that it is seen as insecure and uncommon to not use these approaches. Regardless that they are actually less secure.

SMS interference is illegal, I advise you to not just go wild using these services and programs that you find. I also advise you to only do these types of attacks against yourself in order to understand the vectors and to gain perspective. Do not attack individuals, they are just like you and I, humans and trying to live their life. These attack surfaces are important to understand as they are easy to exploit. We are are in the war with tech companies to which we are compromised in each and every step, yet they remain shielded and continue to report record growth at our expense of data, privacy, and security.

While this covers in a very vague way the attack vector used, I was instructed to not provide links or call the services out directly. There are legal issues surrounding them and I want to avoid any and all conflicts as this information is being provided for educational purposes. I am also hoping this series is beginning to open up your understanding of the technology you rely on daily. There are foundational problems with it, and when you build a company or service on top of broken foundations, they are all just houses of cards.

A few keystrokes, some research,time, and effort will net results in these attack surfaces. No real hacking needed.

*TL;DR: Phone registration model is broken. SMS is unencrypted and able to be captured by attackers in a targeted way. Your number, your data model, also opens you up to being attacked via a targeted manner. *

This was article 2 of the series, Article 3: “Houses of Cards”, will be published upon approval. This article will describe service vulnerabilities and how they can be leveraged as they are all built on a broken foundation in modern times. Article 4 will be announced and released the subsequent day once approved: “They win, we lose”.

You can buy me beer with Bitcoin, Monero, Burst, or Doge if you want. Hit me up for addresses.

You can find me on Twitter, Signal, and Telegram(@nixops)

--

--