| 摘要: | 個人電腦的便利性、聯通性與普遍性,使得攻擊者可運用其電腦與網路的知識發展出各式各樣入侵電腦的方式,並進而構建出功能強大的殭屍網路,以非法地獲取龐大的金錢利益與私密資料。而隨著愈來愈多的人使用數位行動置與朋友聯繫或上網遊戲,數位行動裝置﹙例如,手機﹚已變成人們生活中不可或缺的一部分。手機等數位行動裝置的功能因此也變的日益強大,結構也愈來愈複雜,就如同手掌大小般的個人電腦。然而手機各式便利的功能,例如:打電話、傳簡訊等基本功能,亦可能被有心人士利用,成為破壞手機擁有者權利的攻擊工具。因此使得行動裝置除了可能遭受個人電腦相同的威脅外,亦面臨新型態的攻擊。 由於近來有愈來愈多網路上的服務開始要求使用者利用他們的手機來進行申請新帳號的認證或強化已有帳號的登入方式,例如:Google、Facebook及一些拍賣網站等,因此手機認證已變成手機的重要功能之一。但我們認為手機認證並不是完全可信,故本研究描述了一種可實作於手機上的攻擊手法及應用–MAC-YURI﹙以盜用他人手機號碼來換取網路帳號申請之認證的方法﹚。MAC-YURI藉由受害者的手機來為攻擊者在網路上新申請的帳號來進行“手機認證”,以達成最終目標–「我的帳號,你的責任」。 這篇論文描述了MAC-YURI的模型、應用及實作,MAC-YURI可以在一般手機用戶不知情的情境下,配合手機可收發簡訊的基本功能來達成攻擊者之目的。經過測試後證實其攻擊手法確實可存在於現今社會人類所使用之手機等數位型動裝置中。論文中亦提出對此類威脅的解決方案。 The convenience, connectivity, and popularity of computers allow a malicious user to utilize various approaches to compromise hosts which can be further organized into Botnets to illegally obtain financial gains or sensitive information. Along with the tread that more and more users use mobile devices to communicate with friends or play on-line games, mobile devices, such as smartphones, have become an indispensible part of many persons’ everyday life. Therefore, the functionality of mobile devices becomes more powerful and the structures of them become more complex, which makes them look like personal computer miniatures. However, attackers may abuse these powerful and diverse functions to impair the owner of a mobile device. Hence mobile devices are under the threats of not only some of the traditional desktop attack types but also new attack types. Due to the trend that more and more web services, such as Google, Facebook and many auction websites, require users to open their new accounts or to login to their accounts through cell-phone-verification, cell-phone-verification has become an important function of cellular phones. However, research in our work shows that cell-phone-verification is not always reliable. This study proposes a new attack method named MAC-YURI (My ACcount, YoUr ResponsIbility) against cell-phone-verification to show one possible abuse of smartphones to people. Through MAC-YURI, an attacker can utilize a compromised smartphone as a steppingstone to accept and forward account verification code to finish the cell-phone-verification when applying a new account or logging in to an account. This paper describes the attack models of MAC-YURI. MAC-YURI uses the built-in functionality of a smartphone, such as receiving and sending short messages, to launch attacks in a stealthy way. We implemented MAC-YURI on an Android smartphone. Experimental results show that MAC-YURI can successfully assist an attacker in obtaining the verification code of an account without the awareness of a steppingstone smartphone owner. Besides, the power consumption introduced by MAC-YURI is low. Finally, this paper proposes some methods to protect a smart-phone against MAC-YURI. |
