...stuff I do and things I like...

Saturday, January 06 2007

Anti NotiFlood

here is a quick and easy way to protect yourself against NotiFlood (my MMS notification attack against PocketPC-based mobile phones, see my PocketPC Security Research).

As I explained, the PushRouter is the application that listens on port 2948 it basically gets all WAP push messages and routes them the destination application. If the PushRouter doesn't know which destination application to use it discards the WAP push message. So in order to protect us against a NotiFlood attack we simply need to remove the MMS mime type from the PushRouter configuration, after this the PushRouter will not be able to forward any WAP push messages to tmail.exe (the MMS application).

The PushRouter configuration for MMS is stored in the WinCE registry at:
    \HKEY_LOCAL_MACHINE\Security\PushRouter\Registrations\ ByCTAndAppId\application/vnd.wap.mms-message;
The only value in this registry key is DEFAULT for me it is set to 80FBE375B731C701.

Now we have a couple of options: delete the complete key, delete the value, and modify the value. I for my part just modified the value (so I can easily switch MMS back on). I basically just added a underline (_) to the key value. Now since the value of the key is wrong the PushRouter can no longer forward the MMS message to tmail.exe.

Note, also these settings are from my IPAQ PocketPC 4.2 they should be the same on all 4.2x devices.

WARNING:
    This modification disables receiving MMS all together! Don't do it if you still want to receive MMS messages.

Since there is no regedit on PocketPC you need to get a third party application. I used PHM RegEdit.

That is it! You're secure now ;-)