The Sim Toolkit Research Group

CURRENT ACTIVITIES (2008-08-16)
 1. Finding contact at gemalto (help wanted!)
 1. Who has or can create an eeprom-image of a SIM or has the source?
 1. Getting a real life GSM sim card of which we know the key's
 1. Writing a test java applet and upload it (locally) to a gemalto/sagem developer sim card.

2008-02-09:

  1. This wiki is writeable to EVERYONE. There is a rule to this wiki: First time you read it you must add something!.

1. Who we are

We are researchers from The Hackers Choice (http://thc.org). If you wanna contribute to this project you can reach us at

  1. gamma@thc.org Jabba: gammos@jabba.ccc.de

  2. skyper@thc.org

2. What this is about

Quote: The integrity and security of Java are widely recognized

  1. In 2007 two lonely THC researchers set about to install a java applet onto a SIM remotely.
  2. The SIM runs a JVM which is very powerful. It's possible to open gprs connection, make phone calls or redirect phone calls (e.g. remote phone tapping).
  3. Other goal was to escape from the SIM onto the ME either via overflow or other method.
  4. SMS protocol supports binary download and concatenation. EasyOTA is a good to to generate the right packet format for such a SMS that contains a java applet in its payload.
  5. A SMS can contain a series of APDU commands that are execute in sequence. The first command would be install the binary and then to run the binary.
  6. We used a Genion Homezone update and sniffed the SMS with a nokia 3310 trace mobile. We then decoded the SMS to learn about the structure (envelope commands etc). TODO: gamma, upload the decoded part of the SMS.
  7. Gemplus has a dev kit. We never wrote a java applet. We tried to send any binary packet via sim card reader. We always got error back (access denied or something. gamma?).
  8. GSM 11.14 specifies how the sim can interact with the ME.
  9. For PoC it would be good to write a java applet that then uses DISPLAY TEXT to display a text on the ME.
  10. We found out (and got this confirmed by THC/nl) that all binary updates are authenticated by certificate. The key is different for every sim (says THC/nl).
  11. There are a shitload of undocumented commands that we did not find out what they are doing.

3. Mailinglist

Subscribe to our mailinglist by sending an email to stk-subscribe [at] lists.segfault.net. Send an email to the mailinglist by mailing stk [at] lists.segfault.net.

4. Next Steps & WANTED

  1. Can we find a buffer overflow in the pre-auth part? certification check?
  2. Setup again the Gemxplorer SDK and develop an example app (i lost all my stuff :/ gamma, do you still have it?).
  3. Who can dump the SIM binary? Would love to do a binary audit and find out about comp128v3 and if we can find a remote BO in the pre-auth part.
  4. Which network uses what kind of SIM cards/from which manufactor?

5. SIM Card / Java Card

5.1. Architecture

  1. Question: Is it possible to send an APDU directly to the GPOS?

  2. Question: What's the interface between Card Manager and GPOS?

  3. Question: Does the Card Manager or the GPOS decide if access to a file is granted?

5.2. Communication

The host system can interact with a JC via APDU commands. Any API call from the host or any tool to configure a JC ultimatly sends APDU commands.

  1. Dan Veeneman as Decode Systems wrote up a page containing Application Protocol Data Units (APDU) commands and various other sim card information which can be found here. (~ Ryan D. Willis :: theintelshoe@gmail.com )

5.3. SIM Types

According to Gemalto, former GemPlus, there are the following SIM types:

  1. SIM Card R99
  2. SIM Card R5: Open Platform 2.0.1, JavaCars 2.1.1, GSM 03.19 R5 v.5.4.0

  3. USIM Card R5: Open Platform 2.0.1, JavaCard 2.2.1, 3GPP 43.019 R5 v.5.6.0

  4. USIM Card R6: Global Platform 2.1, JavaCard 2.2.1 3GPP 31.130 R6 v6.2, ETSI 102.241 R6

  5. R-UIM Card: Global Platform 2.1, JavaCard 2.2.1, ETSI 102.241 R6 v.6.7.0

  6. Question: Where are the differences ? Is it possible to get further documentation ?

5.4. Card Manager

From Global Platform GPCardSpec_v2.2pdf.

3.8 Card Manager
The Card manager, as the central administrator of the card, assumes multiple responsibilities. The Card manager can be viewed as three entities:

  1. The Global Platform Environment
  2. The Issuer Security Domain
  3. The Cardholder Verification Method Services

Riscue - Card Manager Global Platform defines an on-card entity called the Card Manager capable of peforming more sophisticated loading. Its loading process is also used for GSM Java Card SIMs. The Card manager implements a secure channel protocol that provides cryptographic services like encryption and authenticated to support secure applet loading.

The Card Manager decrypts and verifies signatures. Then, if successful, it either executes the enclosed APDUs itself (if TAR = 000000), or dispatches the APDUs to the applet associated with the TAR.

The Card Manager is responsible for installing and loading applets.

The early Global Platform standards (v2.01) came with a reference implementation for a card manager. Many operators just use this reference implementation.

5.4.1. TAR List

Each applet running on the SIM is identified by a unique ID, known as Toolkit Application Referece (TAR) Value. A OTA message can be send to any of the applets by specifying the TAR value in the SMS message. Below is a list of known TAR values (e.g. applets running on the SIM).

TAR value

Comment

00 00 00

Card Manager (can execute APDU's)

00 00 01

Wireless Internet Browser (WIB) (can execute commands)

00 00 01 to AF FF FF

Allocated by card issuer

B0 00 00

UICC shared file system management

B0 00 01

USIM1 file system management (see note 32)

B0 00 02

SIM File system (see note 4)

B0 00 03 to B0 00 FF

USIMx File system (see note 3)

B0 00 03 to B0 FF FF

Other remote file systems

B1 00 00 to B1 FF FF

Payment application

B2 00 00 to BF FE FF

RFU

BF FF 00 to BF FF FF

Proprietary toolkit application

C0 00 00 to FF FF FF

Allocated by card issuer

Remote File Management Applications
UICC Shared File system 'B0 00 00'
USIM1 File system (see note 32) 'B0 00 01'
SIM File system (see note 4)    'B0 00 02'
USIMx File system (see note 3)  'B0 00 03' to ‘B0 00 FF’
RFU     'B0 010 002' to 'B0 FF FF'
Payment Applications
RFU     'B1 00 00' to 'B1 FF FF'
Reserved for future categories
RFU     'B2 00 00' to 'BF FE FF'
Prorietary toolkit application
Prorietary toolkit application  'BF FF 00' to 'BF FF FF'
NOTE 2: The Card Manager may include Remote File Management of the SIM File System and the UICC Shared File system.
NOTE 32:        The USIM file system may include the UICC Shared file system.
NOTE 4: The SIM file system may include the UICC Shared file system.

The ETSI TS 101 220 defines a list and ranges of TAR Values.

FIXME: gamma, link here. What are the applets for? what do they do? What does the card manger do?

5.4.2. Keys for OTA

Real World:[[BR]] The OTA keys are individual per SIM. 3Des is used. They are different from Ki. Each sim with post-issuance card management capabilities has at least one set of 3 keys (message integrity, message confidentiality and key encryption).

All SIMs should reject OTA message without Digitial Signature (DS). Not all SIMs are correctly secured. Some SIMs accept OTA messages that are not encrypted. Some SIMs accept OTA messages that only have a correct Cryptographic Checksum (CC) and some SIMs only require a correct Redundancy Check (RC). Some SIMs dont require any security feature and accept OTA messages without no RC, CC or DS (by marek, TODO: name the networks!).

Most (if not all) Operators are using 3DES in real world. It is unknown if a weaker cipher is implemented and would work as well.

  1. Can we use a weaker cipher of which we can crack the key?
  2. what's the 'Algorithm known implicitly to both entities'? xor? null cipher?
  3. What is proprietary Implementations?

5.5. Software

Axalto created cryptoflex. Axalto and gemplus merged into gemalto.

5.5.1. Gemalto Access Client Software

The Gemalto Access Client Software is used to manage a JC. The software package comes with various tools to manage applets, change PIN/PUK and update key material on the JC. All these commands are ultimatly translated into APDU commands.

The Software can be ordered at http://www.cryptoshop.com/index.php (23 EUR). GemPlus Development Smart Cards and SIM Cards can be ordered there as well.

Note: I'm not sure if this application can be used to manage applets on a sim card.

5.5.2. Loading Applet onto SIM

Card Admin:[[BR]] Tools for GSM operators to manage SIM cards (local). Documentation speaks of 'proprietary APDU commands and files'. The 2y software license cost 2500 EUR.

  1. http://www.gemalto.com/products/card_admin/

Gemalto Development Suite:[[BR]]

  1. http://www.gemalto.com/products/gemxplore_developer/

This tool costs 2000 EUR and can be used for development, simulation, testing and loading the applet onto a gemalto dev sim card.

TODO: Can this sim card then be used in a real phone? e.g. can i program the gemalto sim card with my Ki?

5.5.3. Host API

The Axalto SDK comes with a rich set of libraries which make it possible to access the JC from the host system. Ultimatly all these API calls are translated into APDU commands. This API seems to be an (exact?) implementation of the open standard PKCS #11.

Example API list:

C_CloseSession
C_CloseAllSessions
C_CopyObject
C_CreateObject
C_Decrypt
C_DecryptInit
C_DestroyObject
C_Digest C_DigestFinal
C_DigestInit
C_DigestUpdate
C_Finalize
C_FindObjects
C_FindObjectsFinal
C_FindObjectsInit
C_GenerateKeyPair
C_GenerateRandom
C_GetAttributeValue
C_GetFunctionList
C_GetInfo
C_GetMechanismInfo
C_GetMechanismList
C_GetSessionInfo
C_GetSlotInfo
C_GetSlotList
C_GetTokenInfo
C_Initialize
C_InitPIN
C_InitToken
C_Login
C_Logout
C_OpenSession
C_SetAttributeValue
C_SetPIN
C_Sign
C_SignFinal
C_SignInit
C_SignUpdate
C_UnwrapKey
C_WaitForSlotEvent

Interesting API calls:

C_SetPIN => Sets initial user PIN and unblock PIN.
C_InitPIN => Sets new user PIN, when logged in as SO.
C_InitToken => Reset card to post-personalization state. Sets a random PIN.
  1. Question: Find out APDU of these API calls. Do these APDU command require authentication?

5.6. TODO

  1. Assume that Key is 16 hex long Use 'Verify Key' command and set length to 1. Try all 0..255 values. If successful set length to 2 and brute force next byte. Does this work?
  2. Middleware Guide.pdf, Page146: Check if the live cards use the example RSA key from the reference documentation.
  3. Generate Key Pair(): Can we generate or add a new RSA key to the SIM card and use this RSA key then to sign applets? (Is adding or generating additional RSA keys protected?) (Adding is done by using ./pkcs12.exe c:\MyCert.pfx from the host system. Which APDU's are used?)

6. SIM Tookit Application

The SIM Toolkit Application is specified in TS 31.111, GSM 02.19, 3GPP 22.038.

Java applets (GSM 03.19) or C written ELF binaries (TS 31.131) can be installed and executed on the SIM.

6.1. Over The Air (OTA)

An OTA SMS can be several kilobytes in size using the SMS concatenation protocol. The OTA SMS is first received by the ME and then forwarded (silently) to the SIM. The SIM then checks the security of the SMS and processes the SMS.

The SMS that most people know are send to the Mobile Equipment (ME) and appear in the inbox of the phone. Another kind of SMS can be send to the SIM directly. Only the Mobile Operator should be able to send an SMS to the SIM (PID 0x7F, Network -> SIM). In practice is it possible on many networks to send a SMS from any mobile phone via the network to the SIM in another mobile phone (SIM -> SIM) without this SMS beeing firewalled by the network.

In networks where such SMS are correctly firewalled a SMS directly to the SIM can be send via direct access to an SMSC. There are many SMSC providers on the internet that offer raw access to the SMSC gateway via which SMS to the SIM can be send.

This is also possible by using the sms-application from bladox turbosim. (i.e. client/server application for resolving the current cellid)

6.2. Marek's Blog

Marek, please add your infos here.

6.3. Misc STK OTA SMS

Some examples of STK OTA SMS captured with gammu/Nokia mobile phones. Meaning is not always known. The telephone number of the receiving MS was +447983729787.

000: 09 01 99 01 01 07 91 44  - 97 85 78 89 08 00 8d 44
001: 05 81 23 11 f2 7f f6 80  - 30 01 71 53 62 00 7d 02
002: 70 00 00 78 15 16 01 25  - 25 b0 00 00 9c fc fd ac
003: 17 3b 88 95 68 a3 4f 6e  - 7f 23 34 c3 69 af ac 3f
004: 17 71 e9 ea 32 a9 ff 81  - fd 1f eb df f4 35 1a 32
005: fc 49 c5 cd fd 7e c1 84  - 04 59 7b 34 46 1f 6a 0d
006: 26 a4 70 e8 e5 c5 e2 4b  - 30 b4 33 f3 3c 23 ee ed
007: 86 14 09 44 f8 7a d1 5f  - 4b 23 ef c3 61 58 e5 ee
008: 82 86 72 83 c3 6e fa 6d  - 42 7b 72 b2 61 09 4c d3
009: 24 90 f2 1a f0 9b 31 d4  - 2d 57 b5 d9
    0: 09 0------- Direction: From originating site
    0: 09 -000---- 0 TransactionID
    0: 09 ----1001 SMS messages
    1: 01 00000001 Type: CP-DATA
    2: 99 10011001 Length: 153
    3: 01 00000--- reserved
    3: 01 -----001 Message Type Indicator(MTI): RP-DATA (network->ms)
    4: 01 00000001 Message Reference: 1
    5: 07 00000111 SMSC Address Length: 7
    6: 91 1------- Extension
    6: 91 -001---- International Number
    6: 91 ----0001 Numbering plan: ISDN/telephone (E164/E.163)
    7: 44 -------- Number(6): 447958879880
   13: 00 00000000 Destination Address Length: 0
   15: 44 ------00 TP-MTI: SMS-DELIVER (->MS) or SMS-DELIVER-REPORT (->SC)
   15: 44 -----1-- More Messages (TP-MMS): No
   15: 44 --0----- Status Report Indication (TP-SRI)
   15: 44 -1------ User Data Header Indicator (TP-UDHI): Yes
   15: 44 0------- Reply Path (TP-RP)
   16: 05 00000101 Originating (TP-OA) Address Length: 5
   17: 81 1------- Extension
   17: 81 -000---- Unknown Number Type
   17: 81 ----0001 Numbering plan: ISDN/telephone (E164/E.163)
   18: 23 -------- Number(5): 32112
   21: 7f 01111111 Protocol Identifier: 0x7F
   21: 7f 01111111  SIM Data download
   22: f6 1111---- Data Coding/Message Class
   22: f6 ----0--- reserved
   22: f6 -----1-- Message coding: 8 bit
   22: f6 ------10 Message Class: Class 2: SIM specific message
   23: 80 -------- SMSC Timestamp: 08-03-10 17:35:26 (TZ 00)
   30: 7d 01111101 User Data Length (TP-UDL): 125 symbols
   31: 02 00000010 User Data Header Length: 2 octets
   32: 70 01110000 SIM Toolkit Security Header
HEX cpData:2276 Format Sim Data Download
000: 00 78 15 16 01 25 25 b0  - 00 00 9c fc fd ac 17 3b
001: 88 95 68 a3 4f 6e 7f 23  - 34 c3 69 af ac 3f 17 71
002: e9 ea 32 a9 ff 81 fd 1f  - eb df f4 35 1a 32 fc 49
003: c5 cd fd 7e c1 84 04 59  - 7b 34 46 1f 6a 0d 26 a4
004: 70 e8 e5 c5 e2 4b 30 b4  - 33 f3 3c 23 ee ed 86 14
005: 09 44 f8 7a d1 5f 4b 23  - ef c3 61 58 e5 ee 82 86
006: 72 83 c3 6e fa 6d 42 7b  - 72 b2 61 09 4c d3 24 90
007: f2 1a f0 9b 31 d4 2d 57  - b5 d9
   34: 00 -------- Length of CPL: 0x0078 (120)
   36: 15 -------- Command Header Length: 0x15 (21)
   37: 16 00010110 SPI : 0x16
   37: 16 ------10  Cryptographic Checksum
   37: 16 -----1--  Ciphering
   37: 16 ---10---  Process if counter is higher
   38: 01 00000001  PoR : 0x01
   38: 01 ------01   PoR required to be send to sending entity
   38: 01 ----00--   No RC/CC/DS applied to PoR
   38: 01 ---0----   PoR via SMS-Deliver-Report
   39: 25 00100101  KIc: 0x25
   39: 25 ------01   DES
   39: 25 ----01--   3DES-outer-CBC 2 different Keys
   39: 25 XXX-----   Key Number: 02
   40: 25 00100101  KId: 0x25
   40: 25 ------01   DES
   40: 25 ----01--   3DES-outer-CBC 2 different Keys
   40: 25 XXX-----   Key Number: 01
   41: b0 --------  Toolkit Application Reference (TAR): 0xB0 0x00 0x00
   44: 9c --------  Counter (CNTR): 0x9C 0xFC 0xFD 0xAC 0x17
   49: 3b 00111011  3B
   50: 88 10001000  88
   51: 95 10010101  95
   52: 68 01101000  68
   53: a3 10100011  A3
   54: 4f 01001111  4F
   55: 6e 01101110  6E
   56: 7f 01111111  7F
   57: 23 00100011  23

000: 09 01 89 01 01 07 91 44  - 97 85 78 89 18 00 7d 44
001: 05 81 23 11 f2 7f f6 80  - 30 01 71 93 83 00 6d 02
002: 70 00 00 68 15 16 01 25  - 25 b0 00 10 7c dd 91 2b
003: a9 66 89 a1 d8 7d f1 0d  - 3a 4b 61 55 b3 4f 77 27
004: 35 8f b7 82 b3 83 4d c1  - c1 6c 18 f0 07 0d e4 7d
005: d3 4e 3d c6 5f 59 cc 78  - 07 88 24 66 44 47 3a 47
006: 04 cf da 21 bb b2 7a 35  - 2c 0d 3c d6 03 bc 1c fa
007: a4 e6 71 50 60 a4 1e 87  - 12 5c 3a e7 63 a0 4a d0
008: df 9d 99 6b 4d e2 75 c7  - 96 9b 56 ed
    0: 09 0------- Direction: From originating site
    0: 09 -000---- 0 TransactionID
    0: 09 ----1001 SMS messages
    1: 01 00000001 Type: CP-DATA
    2: 89 10001001 Length: 137
    3: 01 00000--- reserved
    3: 01 -----001 Message Type Indicator(MTI): RP-DATA (network->ms)
    4: 01 00000001 Message Reference: 1
    5: 07 00000111 SMSC Address Length: 7
    6: 91 1------- Extension
    6: 91 -001---- International Number
    6: 91 ----0001 Numbering plan: ISDN/telephone (E164/E.163)
    7: 44 -------- Number(6): 447958879881
   13: 00 00000000 Destination Address Length: 0
   15: 44 ------00 TP-MTI: SMS-DELIVER (->MS) or SMS-DELIVER-REPORT (->SC)
   15: 44 -----1-- More Messages (TP-MMS): No
   15: 44 --0----- Status Report Indication (TP-SRI)
   15: 44 -1------ User Data Header Indicator (TP-UDHI): Yes
   15: 44 0------- Reply Path (TP-RP)
   16: 05 00000101 Originating (TP-OA) Address Length: 5
   17: 81 1------- Extension
   17: 81 -000---- Unknown Number Type
   17: 81 ----0001 Numbering plan: ISDN/telephone (E164/E.163)
   18: 23 -------- Number(5): 32112
   21: 7f 01111111 Protocol Identifier: 0x7F
   21: 7f 01111111  SIM Data download
   22: f6 1111---- Data Coding/Message Class
   22: f6 ----0--- reserved
   22: f6 -----1-- Message coding: 8 bit
   22: f6 ------10 Message Class: Class 2: SIM specific message
   23: 80 -------- SMSC Timestamp: 08-03-10 17:39:38 (TZ 00)
   30: 6d 01101101 User Data Length (TP-UDL): 109 symbols
   31: 02 00000010 User Data Header Length: 2 octets
   32: 70 01110000 SIM Toolkit Security Header
HEX cpData:2276 Format Sim Data Download
000: 00 68 15 16 01 25 25 b0  - 00 10 7c dd 91 2b a9 66
001: 89 a1 d8 7d f1 0d 3a 4b  - 61 55 b3 4f 77 27 35 8f
002: b7 82 b3 83 4d c1 c1 6c  - 18 f0 07 0d e4 7d d3 4e
003: 3d c6 5f 59 cc 78 07 88  - 24 66 44 47 3a 47 04 cf
004: da 21 bb b2 7a 35 2c 0d  - 3c d6 03 bc 1c fa a4 e6
005: 71 50 60 a4 1e 87 12 5c  - 3a e7 63 a0 4a d0 df 9d
006: 99 6b 4d e2 75 c7 96 9b  - 56 ed
   34: 00 -------- Length of CPL: 0x0068 (104)
   36: 15 -------- Command Header Length: 0x15 (21)
   37: 16 00010110 SPI : 0x16
   37: 16 ------10  Cryptographic Checksum
   37: 16 -----1--  Ciphering
   37: 16 ---10---  Process if counter is higher
   38: 01 00000001  PoR : 0x01
   38: 01 ------01   PoR required to be send to sending entity
   38: 01 ----00--   No RC/CC/DS applied to PoR
   38: 01 ---0----   PoR via SMS-Deliver-Report
   39: 25 00100101  KIc: 0x25
   39: 25 ------01   DES
   39: 25 ----01--   3DES-outer-CBC 2 different Keys
   39: 25 XXX-----   Key Number: 02
   40: 25 00100101  KId: 0x25
   40: 25 ------01   DES
   40: 25 ----01--   3DES-outer-CBC 2 different Keys
   40: 25 XXX-----   Key Number: 01
   41: b0 --------  Toolkit Application Reference (TAR): 0xB0 0x00 0x10
   44: 7c --------  Counter (CNTR): 0x7C 0xDD 0x91 0x2B 0xA9
   49: 66 01100110  66
   50: 89 10001001  89
   51: a1 10100001  A1
   52: d8 11011000  D8
   53: 7d 01111101  7D
   54: f1 11110001  F1
   55: 0d 00001101  0D
   56: 3a 00111010  3A
   57: 4b 01001011  4B
  1. Question: What is TAR 0xb0 00 10

7. How do they do it

7.1. Remotely installing software on your SIM

The Mobile Operator is using the Over The Air (OTA) mechanism to send binary java applets via sms (several kilo bytes) to the SIM. These applets are installed secretly without the user knowing.

The java applets has access to GSM functionality and the Mobile Phone itself. The details of the interface are defined in GSM 11.11 and 11.14.

7.2. Intercepting your voice calls

It is possible to install a java applet remotely on the sim card that intercepts all voice calls. This enabled an attacker to listen to any voice call the user makes or receives without ever having to touch the target phone.

This is done via OTA and a binary installation of a java applet. The applet has a powerful interface to the Mobile Equipment and GSM modem.

  1. SMS-PP Data Download (GSM 11.14 7.1): MS can install binary on SIM remotely. user is not notified.
  2. Call Control (GSM 11.14 4.5): Any outgoing call request is first passed to sim. Sim can modify this call request. This can be used to listen to mobile subscribers: Any time a call is made initiate a conference call to original number and your own mobile.
  3. Security Mechanisms (GSM 03.48): Security Mechanisms for the SIM applicaton toolkit

The same technique can be used to track your location, sniff your sms and call log files.

7.3. Genion Home Zone Update

Gamma, explain here.

Gamma, example gsm-decoded packet dump here

7.4. esizkur's Credit Update

esizkur, you said you are receiving OTA messages from your operator telling you how much credit is left on your account. Can you explain here what operator? Can you upload a trace/dump of the information? (e.g. using a nokia 3310 trace mobile, a seasoner or a bladox card).

emx: Prepaid credit update messages are often sent using USSD (http://en.wikipedia.org/wiki/USSD) - not a SIM OTA message.

7.5. Riscures GSM hack

In The Paris Press Release Riscure demonstrates how a SIM can be controlled remotely. They loaded the Ki from a real SIM onto a programmable SIM. They then installed the backdoor manually onto the SIM and controlled it remotely via SMS.

  1. Where to buy a programmable SIM that supports the A5/1 etc algorithm? Or can we program this all in software/applet?

7.6. Mobile Locate

There are several companies in the Uk that offer to locate a mobile phone. This service is aimed at parents to track their children or empoyers to track their employees.

I tested http://www.mobilelocate.co.uk. After receiving my login and password by post I was able to add any phone number to my account. The target phone received a SMS with a 5 digit password (brute force attack?). The target had to reply via SMS with this code to enable tracking of his mobile phone.

I was able to track the target phone with 500-5000m precision. Whenever I clicked 'locate phone' on the web interface the following happened:

  1. The BTS requested a dedicated channel (Paging Request, Auth Request (RAND), Auth Response (SRES), Channel Assignment)
  2. BTS instantly issued a 'Channel Release'.

No SMS was send to the MS. This means the company has a peering agreement with all Mobile Operators and access to the Mobile Operator's private Location Information of _any_ customer.

  1. Question: Are 5 digits pins secure enough? Can it be brute forced?

  2. Question: Privacy problem if such a company has full access to anyones location information. Last time I signed a Mobile Operator contract it did not say that they are giving out my Location Information to other commercial driven companies.

8. Projects

8.1. Bladox APDU logger

Motivation: Learn more about what messages and applications the Mobile Operator sends to the phone. Are they all protected? Which one can be forged? Which one are propriatary?

Using a Bladox Turbo Sim. Write a bladox app that logs all APDU commands send from the ME to the SIM. Goal is to find out what kind of messages and application the operator sends to the phone.

If there is not enough storage on the bladox card itself then a symbian app could poll the data every 60 seconds from the bladox card and store it on a mmc.

8.2. How is an applet authenticated

Gamma, can you explain here? what standard? What format? What keys?

From Gemplus: The Java Card applets do not directly receive the incoming messages. These are first processed by the Java Card Runtime Environment (JCRE), which calls upon a method of the applet to process the APDU commands.

The Java Card Virtual Machine (JCVM) controls access to all smart card resources, such as memory and I/O and allows applications to be securely loaded to the card post-issuance.

See Card Manager description below of how a OTA sms is authenticated.

8.3. Using the mobile as listening Device

There is this rumor that the police can turn on a mobile and use it as a listening device even if the mobile is switched off. Can we verify this? Could use USRP to sniff if the MS actually sends data even if the phone is switched off.

No doubt this can be done when the phone is switched on and idle: Just upload a java applet that initiates a silent call.

While not exactly the same thing, Endoacoustica's site provides some information on a specifically configured spy phone that can monitor even when powered off - http://www.endoacustica.com/details_gsm-interceptor_en.htm - Probably this symbian application just fakes the shutdown and phone is not really off.

8.4. Extracting applets

  1. Can we dump all existing applets from the card? Let's find out what's installed on a SIM by default and what it's used for.
  2. Can we dump the Card Manager applet from the SIM and convert it back to java code and do a code audit on it?

8.5. OTA SMS

From Global Platform Specs 2.0.1: Selecting the application (SELECT command) never requires the use of a Secure Channel.

Retrieving basic card and/or issue information (GET DATA) never requires the use of a Secure Channel.

Can we send an OTA SMS that does a GET DATA request and receive the answer via reply-SMS?

9. Dev Tools

9.1. CSIM

The easiest way to send APDU commands to the sim is with a sim card reader. It's also possible to use the AT-command interface on a mobile phone to access the sim. This is done via the AT+CSIM command. This command is not available on most phones (but it's available on the iPhone!).

Random examples:

AT+CSIM=14,"A0A40000023F00" (select master file)
AT+CSIM=14,"A0A40000027F10" (select DF Telecom)
AT+CSIM=42,"F0E000001000246F110C030A02001B1B1B1B1B1B1B" (create an EF with ID 6F11)

9.2. Bladox Turbo Sim

http://www.bladox.com A add-on chip to an existing sim card. Enables anyone to write SIM toolkit apps and load them onto the TurboSim. This means we can do sim toolkit app testing in the phone without knowing the operator's key for uploading java applets to a real sim card.

  1. Free compiler toolchain available. Not java but C compiled.
  2. The card is programmed and accessed via AT commands

9.3. GemXplorer

Javacard / SIM Toolkit

Free Eval version is available from http://www.gemplus.com/products/gemxplore_developer/. Also forum and examples are available (NEW!). The eval version is emulator only and does not work directly on the sim.

TODO: Need Full version (anyone?)

Gemplus released really good STK (Sim Tool Kit) examples.

9.4. On-Card Debugger

Link: http://developer.gemalto.com/home/java-card/on-card-debugging.html

Some Tips by gemalto how to output debug information back to the host PC from a live SIM.

9.5. Smart Card Tool Set

  1. Smart Card Tool Set

For windows. Smart Card software to explore file system and send APDUs. Free trial version (can send up to 10 APDUs at once). Full version cost 60 EUR.

10. Sending binary SMS

10.1. Using your Modem & EasyOTA

FIXME: Will be explained later.

10.2. Using providers

Some SMS gateways (clickatell.com) support sending binary sms. It's possible to cut & paste the raw binary SMS including all headers through the web interface.

11. TODO

  1. List of the software and tools we used for our research.
  2. Why did we fail to install a binary java applet via SIM card reader? Does this already require a key?
  3. Can we set the CNTR to 0xfff..fff (max value) so that the SIM can no longer receive OTA messages?
    • When a sim connects to a server for gprs connection it authorizes it( phone no. balance details, imei no.,......).... if i can configure my sim to some other number(gprs activated no.) can i get connected???

12. Resources

12.1. Random Quotes

12.1.1. Security Interface proriatory

GSM 03.48: Under normal circumstances the Receiving Entity receives the Command Packet and unpacks it according to the security parameters indicated in the Command Header. The Receiving Entity subsequently forwards the Application Message to the Receiving Application indicating to the Receiving Application the security that was applied. The interface between the Sending Application and Sending Entity and the interface between the Receiving Entity and Receiving Application are proprietary and therefore outside the scope of the present document.

  1. Proprietary means not implemented?
  2. This means the receiving application on the SIM might not know if the applet was signed or not.

12.1.2. Security requires further studies

GSM 03.48: A.2.2 Mutual authentication - This topic is for further study.

12.2. Files

  1. easyota-1.2.4.rar - Create fully SMS-PP Download compliant SMS.

  2. PDUSpy - Create custom SMS / PDU's.

12.3. Links

  1. Thesis on SIM Toolkit & Security (german)

  2. Smart Card FAQ (good intro!)

  3. http://www.3gpp.org/ftp/Specs/archive/ - GSM / 3GPP Specifications

  4. Gemplus OTA Training / Overview

  5. http://www.riscure.com/ - Professional Smart Card Pen Testing

  6. Good Smart Card Security papers

  7. Open Platform Card Specificatoin 2.0.1 (old)

  8. Forensics and Sim Cards: an Overview - (pdf, Fall 2006 -- utica.edu)

12.4. Useful Standards

5c67c1e04b

  1. ISO 7816: "Identitification Cards - Integrated Circuits Card with Contacts" http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816.aspx

  2. GSM 11.14: “Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface”
  3. GSM 03.40: “Technical realization of the Short Message Service (SMS) Point-to-Point (PP)”
  4. GSM 03.19: “GSM API for SIM toolkit stage 2”
  5. GSM 02.48: “Security Mechanisms for the SIM application toolkit; Stage 1”
  6. GSM 03.48: “Security Mechanisms for the SIM application toolkit; Stage 2”
  7. 3GPP TS 23.048: “Security mechanisms for the (U)SIM application toolkit”

  8. ETSI TS 103 225: “Secured packet structure for UICC based applications”
  9. ETSI TS 102 226: “Remote APDU Structure for UICC based applications”
  10. ETSI TS 101 180: “Security mechanisms for the SIM Application Toolkit”
  11. 3GPP TS 43.019: “Subscriber Identity Module Application Programming Interface (SIM API) for Java Card™ Stage 2”

  12. 3GPP TS 31.130: “(U)SIM Application Programming Interface; (U)SIM API for Java™ Card”

  13. 3GPP TS 31.102: “Characteristics of the Universal Subscriber Identity Module (USIM) application”

  14. 3GPP TS 31.115: “Secured packet structure for (U)SIM Toolkit applications”

  15. 3GPP TS 31.116: “Remote APDU Structure for USIM Toolkit applications”

  16. 3GPP TS 31.111: “USIM Application Toolkit (USAT)”

12.5. Books

  1. McGraw-Hill_2002_Mobile.Application.Development.with.SMS.and.the.SIM.Toolkit http://www.amazon.com/Mobile-Application-Development-SMS-Toolkit/dp/0071375406/ref=sr_1_1?ie=UTF8&s=books&qid=1205590751&sr=8-1

  2. JohnWileySons.MobileMessagingTechnologiesandServices:SMS,EMSandMMS http://www.amazon.com/Mobile-Messaging-Technologies-Services-SMS/dp/0470011432/ref=sr_1_1?ie=UTF8&s=books&qid=1205591037&sr=1-1

12.6. Open Platform

Link: http://www.globalplatform.org Specifies standards for smart cards in general. The Java Card and the SIM card is one (out of many) implementation of the Global Platform Specification for Smart Cards.

  1. Docs of how to upgrade public CA key on SIM card (PUT KEY)
  2. APDU extensions.
  3. detailed APDU encoding (bit level)

Links:

  1. Card Specification v2.2

  2. Confidential Card Content Management v2.2

  3. Card Security Requirements Specification v1.0

?