Desi Programmer @ Work

Phonebook Poisoning Attack

I found that using simple social engineering it is trivially possible to make someone alter an entry in their mobile phonebook. This can be used by an attacker to redirect a victim's SMS messages and voice communication intended for a specific person, to attacker's own phone. The attack works by sending the victim an SMS from a new number, claiming to be another specific person B who is already in the victim's phonebook. The SMS claims that it is the new phone number of Person B and this message is being sent to all friends to update their phonebook. People are too occupied to verify such updates.

Imagine that you get an SMS from a new number and it says "Hello friends. This is my new number. Please update your phonebook and use this number from now onwards - Person B". In most of the cases, you wouldn't bother to verify it is indeed Person B sending this message and you'll quietly update your phonebook. Onwards, any message coming from attacker's number will appear from Person B's name. Having some prior knowledge about you and the Person B, the attacker can ask directed questions and get confidential information. For instance if you share a password with Person B and the attacker asks, you'll probably text it away.

A more interesting variation of this attack leads to true Man-In-Middle: The attacker manages to update phonebooks of two persons having acquitance with each other. Both of them's phonebook entries now start pointing to one number. The attacker forwards their SMS to each other after storing them on his own phone. In some cases voice call can also be covered with clever call forwarding.

This attack works best in the countries where telecom proliferation is high. In such countries it is easy to buy a throw-away off-the-shelf SIM so having a new number on a spare phone is extremely convenient. Also, in such regions most of the communication is done over SMS instead of calls which is favourable for this case because in case of voice the person is easily recognized.

I tried it on few friends and it worked really well. I took the role of person B as well as the attacker and sent them the mobile number update request from a new number. Later I asked them some confidential questions related to them and me. It turned out that all of them had updated their phonebooks as well as responded to my queries without actually verifying it was me!

On a sidenote, a friend of mine wanted me to update his number in my mobile's phonebook and I tried to verify his identity. Here's how conversation went:

+92321xxxxxx: Hi, this is my number. Please update it - Ali A.
Me: Anyone can claim that he is Ali A. Please authenticate yourself!
+92321xxxxxx: Ask a question which only Ali A. can answer.
Me: What is his GMail password?
* no response *

Later I called up the claimed number to make sure that it was indeed Ali :-)