Weaponizing SMS (How SMS Web-Previews say more than they should)

Presented at ShellCon 2021 Virtual, Oct. 9, 2021, 2 p.m. (25 minutes)

The root of every attack begins with information gathering. With modern networks, including corporate and BYOD mobile devices that may move between private and public networks, information gathering from mobile devices is important, too. This presentation will explain a technique that abuses the link preview functionality in many modern smartphones to leak data such as operating system version and rough location from any cell-tower-connected smartphone to a third party without the need for user interaction. Additionally, a defense for this attack and a tool built around the attack to automate and store the data will be presented.

Presenters:

• Oscar Anaya
  Oscar Anaya is a hacker for X-Force Red specializing in hardware and web application testing. He has also previously conducted successful automotive and mobile vulnerability research. Before working for X-Force Red, Oscar conducted research on access control and had great success finding bypass methods for these systems.

Links:

• https://shellcon.io/talks/2021/weaponizing-sms/

Similar Presentations:

• DEF CON 22 (2014) / Blowing up the Celly - Building Your Own SMS/MMS Fuzzer
• VB2015 / Mobile banking fraud via SMS in North America: who's doing it and how
• DeepSec 2018 „I like to mov &6974,%bx“ / Attacks on Mobile Operators