The Sim Toolkit Research Group
CURRENT ACTIVITIES (2008-08-16) 1. Finding contact at gemalto (help wanted!) 1. Who has or can create an eeprom-image of a SIM or has the source? 1. Getting a real life GSM sim card of which we know the key's 1. Writing a test java applet and upload it (locally) to a gemalto/sagem developer sim card. 2011-SEP26 UPDATE: This project has been discontinued in 2009. Latest status: 1. Can install SIM binary app via OTA on developer SIM cards. 1. Commercial SIM cards require authentication (mainly DES or 3DES?) if OTA is used. 1. Installing binary APP on SIM with physical access to SIM maybe possible but not researched. 1. Attack vector is: Find vuln in binary image of SIM OS (exploit) 1. Best Attack: circumvent authentication. Some SIMs return with valid Crypto-Checksum when invalid request is send to SIM. Gives us Ciphertext over known plaintext and then be able to crack DES (feasible).
2013-JUL-22 UPDATE ON UPCOMING KARSTEN NOHL BLACKHAT TALK
Karsten Nohl is presenting a talk at Blackhat Vegas this year to discuss some SIM/GSM vulnerabilities.
Go see his talk. (Karsten is not associated with THC. It happens that he did some research in the same area where THC did some research).
Quick walk through the attack:
- Attacker uses fake Base station to 'catch' victim's phone.
- Attacker to send fake SIM TOOLKIT messages to the victim's SIM. SIM TOOLKIT messages are like SMS/TEXT messages (but binary instead and not visible to the user). The SIM is the little chip inside your phone. It carries a unique subscriber ID (IMSI) and various secret keys.
- The fake messages should specify that DES is the only supported algorithm, that no encryption is used and that authentication (Crypto-Checksum/CC) _IS_ used.
- The attacker does not know the secret DES key to create a valid CC for the SIM TOOLKIT message. Thus the phone will ignore the message and return an error that the CC is wrong.
- This error message is not encrypted (we instructed the phone [see above] not to use encryption and only to use CC authentication). The error message can contain a CC generated by the victim's SIM. The vast majority of all SIM's that we tested show the CC is empty (0x0000000...). A very few number of very old SIM's set this field to a valid CC. This valid CC can now be used to brute force the secret DES Key.
- The Attacker can now test all 2^56 different DES key combinations that would generate the VALID CC over the plaintext error message that the victim's phone send back to the attacker.
- Once the DES key has been found the Attacker can use the DES key to generate a valid CC. This enables the attacker to send a SIM TOOLKIT message with a correct CC to the victim's SIM.
- The attacker can now install SIM TOOLKIT binaries (applications!) on the victim's SIM or reconfigure the SIM remotely over the air.
This attack can be optimized to work fast on DES.
The attacker can send thousands of SIM TOOLKIT messages with bad CC to the phone. The victim's phone will reply with thousands of error messages containing a counter and a _valid_ CC. This enables the attacker to gather a lot of CC's generated over different plaintext error messages.
A rainbow table can be used to extract the secret DES. (Rainbow tables are always great when there is a lot of known ciphertext [here CC] available. Doubling the ciphertext halves the attack time).
DES is obsolete. The GSMA started to replace the DES algorithm with the newer AES in 2009. With AES the attack is not possible even if the victim's phone returns an error message with a valid CC when AES.
Any attack on 3DES is still academic at this point but I would not trust it for much to long...
This wiki is writeable to EVERYONE. There is a rule to this wiki: First time you read it you must add something!.
- Who we are
- What this is about
- Next Steps & WANTED
- SIM Card / Java Card
- SIM Tookit Application
- How do they do it
- Dev Tools
- Sending binary SMS
1. Who we are
We are researchers from The Hackers Choice (http://thc.org). If you wanna contribute to this project you can reach us at
- gamma - thc.org Jabba: ...REMOVED...
- skyper - thc.org
2. What this is about
Quote: The integrity and security of Java are widely recognized
- In 2007 two lonely THC researchers set about to install a java applet onto a SIM remotely.
- The SIM runs a JVM which is very powerful. It's possible to open gprs connection, make phone calls or redirect phone calls (e.g. remote phone tapping).
- Other goal was to escape from the SIM onto the ME either via overflow or other method.
- SMS protocol supports binary download and concatenation. EasyOTA is a good to to generate the right packet format for such a SMS that contains a java applet in its payload.
- A SMS can contain a series of APDU commands that are execute in sequence. The first command would be install the binary and then to run the binary.
- We used a Genion Homezone update and sniffed the SMS with a nokia 3310 trace mobile. We then decoded the SMS to learn about the structure (envelope commands etc). TODO: gamma, upload the decoded part of the SMS.
- Gemplus has a dev kit. We never wrote a java applet. We tried to send any binary packet via sim card reader. We always got error back (access denied or something. gamma?).
- GSM 11.14 specifies how the sim can interact with the ME.
- For PoC it would be good to write a java applet that then uses DISPLAY TEXT to display a text on the ME.
- We found out (and got this confirmed by THC/nl) that all binary updates are authenticated by certificate. The key is different for every sim (says THC/nl).
- There are a shitload of undocumented commands that we did not find out what they are doing.
Subscribe to our mailinglist by sending an email to ...REMOVED... [at] lists.segfault.net. Send an email to the mailinglist by mailing ...REMOVED... [at] lists.segfault.net.
4. Next Steps & WANTED
- Can we find a buffer overflow in the pre-auth part? certification check?
- Setup again the Gemxplorer SDK and develop an example app (i lost all my stuff :/ gamma, do you still have it?).
- Who can dump the SIM binary? Would love to do a binary audit and find out about comp128v3 and if we can find a remote BO in the pre-auth part.
- Which network uses what kind of SIM cards/from which manufactor?
5. SIM Card / Java Card
Question: Is it possible to send an APDU directly to the GPOS?
Question: What's the interface between Card Manager and GPOS?
Question: Does the Card Manager or the GPOS decide if access to a file is granted?
The host system can interact with a JC via APDU commands. Any API call from the host or any tool to configure a JC ultimatly sends APDU commands.
Dan Veeneman as Decode Systems wrote up a page containing Application Protocol Data Units (APDU) commands and various other sim card information which can be found here. (~ Ryan D. Willis :: firstname.lastname@example.org )
5.3. SIM Types
According to Gemalto, former GemPlus, there are the following SIM types:
- SIM Card R99
SIM Card R5: Open Platform 2.0.1, JavaCars 2.1.1, GSM 03.19 R5 v.5.4.0
USIM Card R5: Open Platform 2.0.1, JavaCard 2.2.1, 3GPP 43.019 R5 v.5.6.0
USIM Card R6: Global Platform 2.1, JavaCard 2.2.1 3GPP 31.130 R6 v6.2, ETSI 102.241 R6
R-UIM Card: Global Platform 2.1, JavaCard 2.2.1, ETSI 102.241 R6 v.6.7.0
Question: Where are the differences ? Is it possible to get further documentation ?
5.4. Card Manager
From Global Platform GPCardSpec_v2.2pdf.
3.8 Card Manager
The Card manager, as the central administrator of the card, assumes multiple responsibilities. The Card manager can be viewed as three entities:
- The Global Platform Environment
- The Issuer Security Domain
- The Cardholder Verification Method Services
Riscue - Card Manager Global Platform defines an on-card entity called the Card Manager capable of peforming more sophisticated loading. Its loading process is also used for GSM Java Card SIMs. The Card manager implements a secure channel protocol that provides cryptographic services like encryption and authenticated to support secure applet loading.
The Card Manager decrypts and verifies signatures. Then, if successful, it either executes the enclosed APDUs itself (if TAR = 000000), or dispatches the APDUs to the applet associated with the TAR.
The Card Manager is responsible for installing and loading applets.
The early Global Platform standards (v2.01) came with a reference implementation for a card manager. Many operators just use this reference implementation.
5.4.1. TAR List
Each applet running on the SIM is identified by a unique ID, known as Toolkit Application Referece (TAR) Value. A OTA message can be send to any of the applets by specifying the TAR value in the SMS message funny quotes. Below is a list of known TAR values (e.g. applets running on the SIM).
00 00 00
Card Manager (can execute APDU's)
00 00 01
Wireless Internet Browser (WIB) (can execute commands)
00 00 01 to AF FF FF
Allocated by card issuer
B0 00 00
UICC shared file system management
B0 00 01
USIM1 file system management (see note 32)
B0 00 02
SIM File system (see note 4)
B0 00 03 to B0 00 FF
USIMx File system (see note 3)
B0 00 03 to B0 FF FF
Other remote file systems
B1 00 00 to B1 FF FF
B2 00 00 to BF FE FF
BF FF 00 to BF FF FF
Proprietary toolkit application
C0 00 00 to FF FF FF
Allocated by card issuer
- Other codes of interest can be found in Tdoc SCP-010239, ETSI Project Smart Card Platform Meeting #7 Marseille, France, 5 - 7 September, 2001, which is "Allocation of new TAR values for Remote File Management". This is a change request for TS 101.220. The full list of relevant TAR's in that document include:
The ETSI TS 101 220 defines a list and ranges of TAR Values.
FIXME: gamma, link here. What are the applets for? what do they do? What does the card manger do?
5.4.2. Keys for OTA
The OTA keys are individual per SIM. 3Des is used. A small number of Operators are still using DES (vulnerable operators). They are different from Ki. Each sim with post-issuance card management capabilities has at least one set of 3 keys (message integrity, message confidentiality and key encryption), but depending on the card settings - they can be used or not.
All SIMs could reject OTA message without Digitial Signature (DS), but this is rarely done as it brings additional pain to gsm providers. Most of the SIMs are correctly secured. Most of the SIMs accept OTA messages that are not encrypted. Encryption is not required as long as authentication is used. Some SIMs accept OTA messages that only have a correct Cryptographic Checksum (CC) and some SIMs only require a correct Redundancy Check (RC) and also require counter increase N+1. Most of the SIMs dont require any security feature and accept OTA messages without no RC, CC or DS, for example - Globul. (by marek, TODO: name the networks!).
Impersonating SIMs that only require RC is easy as no real encryption or authentication is used.
Those SIMs that use authentication _and_ support DES are most vulnerable. The attacker can send a message to the SIM with an invalid Crypto-Checksum (CC). The SIM should answer with a error that contains 0x00 (empty) CC in the return package. Some SIMs appear to put a real CC in the return package. This means that a CC has been created over a known plaintext (the plaintext error message). If DES is forced by the attacker then the attacker now forced the SIM to use the secret DES to generate a CC over known plaintext. This CC can then be used to brute force the secret DES key (requires DES cracker - feasbile).
Most (if not all) Operators are using 3DES in real world. There are weaker ciphers, but they are not used anymore in the field.
- Can we use a weaker cipher of which we can crack the key?
- what's the 'Algorithm known implicitly to both entities'? xor? null cipher?
- What is proprietary Implementations?
Axalto created cryptoflex. Axalto and gemplus merged into gemalto.
5.5.1. Gemalto Access Client Software
The Gemalto Access Client Software is used to manage a JC. The software package comes with various tools to manage applets, change PIN/PUK and update key material on the JC. All these commands are ultimatly translated into APDU commands.
The Software can be ordered at http://www.cryptoshop.com/index.php (23 EUR). GemPlus Development Smart Cards and SIM Cards can be ordered there as well.
Note: I'm not sure if this application can be used to manage applets on a sim card.
5.5.2. Loading Applet onto SIM
Tools for GSM operators to manage SIM cards (local). Documentation speaks of 'proprietary APDU commands and files'. The 2y software license cost 2500 EUR.
Gemalto Development Suite:
This tool costs 2000 EUR and can be used for development, simulation, testing and loading the applet onto a gemalto dev sim card.
TODO: Can this sim card then be used in a real phone? e.g. can i program the gemalto sim card with my Ki?
5.5.3. Host API
The Axalto SDK comes with a rich set of libraries which make it possible to access the JC from the host system. Ultimatly all these API calls are translated into APDU commands. This API seems to be an (exact?) implementation of the open standard PKCS #11.
Example API list:
C_CloseSession C_CloseAllSessions C_CopyObject C_CreateObject C_Decrypt C_DecryptInit C_DestroyObject C_Digest C_DigestFinal C_DigestInit C_DigestUpdate C_Finalize C_FindObjects C_FindObjectsFinal C_FindObjectsInit C_GenerateKeyPair C_GenerateRandom C_GetAttributeValue C_GetFunctionList C_GetInfo C_GetMechanismInfo C_GetMechanismList C_GetSessionInfo C_GetSlotInfo C_GetSlotList C_GetTokenInfo C_Initialize C_InitPIN C_InitToken C_Login C_Logout C_OpenSession C_SetAttributeValue C_SetPIN C_Sign C_SignFinal C_SignInit C_SignUpdate C_UnwrapKey C_WaitForSlotEvent
Interesting API calls:
C_SetPIN => Sets initial user PIN and unblock PIN. C_InitPIN => Sets new user PIN, when logged in as SO. C_InitToken => Reset card to post-personalization state. Sets a random PIN.
Question: Find out APDU of these API calls. Do these APDU command require authentication?
- Assume that Key is 16 hex long Use 'Verify Key' command and set length to 1. Try all 0..255 values. If successful set length to 2 and brute force next byte. Does this work?
- Middleware Guide.pdf, Page146: Check if the live cards use the example RSA key from the reference documentation.
Generate Key Pair(): Can we generate or add a new RSA key to the SIM card and use this RSA key then to sign applets? (Is adding or generating additional RSA keys protected?) (Adding is done by using ./pkcs12.exe c:\MyCert.pfx from the host system. Which APDU's are used?)
6. SIM Tookit Application
6.1. Over The Air (OTA)
An OTA SMS can be several kilobytes in size using the SMS concatenation protocol. The OTA SMS is first received by the ME and then forwarded (depending on the handset - silently or not) to the SIM. The SIM then checks the security of the SMS (if requested) and processes the SMS.
The SMS that most people know are send to the Mobile Equipment (ME) and appear in the inbox of the phone. Another kind of SMS can be send to the SIM directly. Only the Mobile Operator should be able to send an SMS to the SIM (PID 0x7F, Network -> SIM). In practice is it possible on many networks to send a SMS from any mobile phone via the network to the SIM in another mobile phone (SIM -> SIM) without this SMS beeing firewalled by the network.
In networks where such SMS are correctly firewalled a SMS directly to the SIM can be send via direct access to an SMSC. There are many SMSC providers on the internet that offer raw access to the SMSC gateway via which SMS to the SIM can be send, but most of SMSC servers are not configured to forward correct APDU packets
This is also possible by using the sms-application from bladox turbosim. (i.e. client/server application for resolving the current cellid)
6.2. Marek's Blog
Marek, please add your infos here.
6.3. Misc STK OTA SMS
Some examples of STK OTA SMS captured with gammu/Nokia mobile phones. Meaning is not always known. The telephone number of the receiving MS was +447983729787.
000: 09 01 99 01 01 07 91 44 - 97 85 78 89 08 00 8d 44 001: 05 81 23 11 f2 7f f6 80 - 30 01 71 53 62 00 7d 02 002: 70 00 00 78 15 16 01 25 - 25 b0 00 00 9c fc fd ac 003: 17 3b 88 95 68 a3 4f 6e - 7f 23 34 c3 69 af ac 3f 004: 17 71 e9 ea 32 a9 ff 81 - fd 1f eb df f4 35 1a 32 005: fc 49 c5 cd fd 7e c1 84 - 04 59 7b 34 46 1f 6a 0d 006: 26 a4 70 e8 e5 c5 e2 4b - 30 b4 33 f3 3c 23 ee ed 007: 86 14 09 44 f8 7a d1 5f - 4b 23 ef c3 61 58 e5 ee 008: 82 86 72 83 c3 6e fa 6d - 42 7b 72 b2 61 09 4c d3 009: 24 90 f2 1a f0 9b 31 d4 - 2d 57 b5 d9 0: 09 0------- Direction: From originating site 0: 09 -000---- 0 TransactionID 0: 09 ----1001 SMS messages 1: 01 00000001 Type: CP-DATA 2: 99 10011001 Length: 153 3: 01 00000--- reserved 3: 01 -----001 Message Type Indicator(MTI): RP-DATA (network->ms) 4: 01 00000001 Message Reference: 1 5: 07 00000111 SMSC Address Length: 7 6: 91 1------- Extension 6: 91 -001---- International Number 6: 91 ----0001 Numbering plan: ISDN/telephone (E164/E.163) 7: 44 -------- Number(6): 447958879880 13: 00 00000000 Destination Address Length: 0 15: 44 ------00 TP-MTI: SMS-DELIVER (->MS) or SMS-DELIVER-REPORT (->SC) 15: 44 -----1-- More Messages (TP-MMS): No 15: 44 --0----- Status Report Indication (TP-SRI) 15: 44 -1------ User Data Header Indicator (TP-UDHI): Yes 15: 44 0------- Reply Path (TP-RP) 16: 05 00000101 Originating (TP-OA) Address Length: 5 17: 81 1------- Extension 17: 81 -000---- Unknown Number Type 17: 81 ----0001 Numbering plan: ISDN/telephone (E164/E.163) 18: 23 -------- Number(5): 32112 21: 7f 01111111 Protocol Identifier: 0x7F 21: 7f 01111111 SIM Data download 22: f6 1111---- Data Coding/Message Class 22: f6 ----0--- reserved 22: f6 -----1-- Message coding: 8 bit 22: f6 ------10 Message Class: Class 2: SIM specific message 23: 80 -------- SMSC Timestamp: 08-03-10 17:35:26 (TZ 00) 30: 7d 01111101 User Data Length (TP-UDL): 125 symbols 31: 02 00000010 User Data Header Length: 2 octets 32: 70 01110000 SIM Toolkit Security Header HEX cpData:2276 Format Sim Data Download 000: 00 78 15 16 01 25 25 b0 - 00 00 9c fc fd ac 17 3b 001: 88 95 68 a3 4f 6e 7f 23 - 34 c3 69 af ac 3f 17 71 002: e9 ea 32 a9 ff 81 fd 1f - eb df f4 35 1a 32 fc 49 003: c5 cd fd 7e c1 84 04 59 - 7b 34 46 1f 6a 0d 26 a4 004: 70 e8 e5 c5 e2 4b 30 b4 - 33 f3 3c 23 ee ed 86 14 005: 09 44 f8 7a d1 5f 4b 23 - ef c3 61 58 e5 ee 82 86 006: 72 83 c3 6e fa 6d 42 7b - 72 b2 61 09 4c d3 24 90 007: f2 1a f0 9b 31 d4 2d 57 - b5 d9 34: 00 -------- Length of CPL: 0x0078 (120) 36: 15 -------- Command Header Length: 0x15 (21) 37: 16 00010110 SPI : 0x16 37: 16 ------10 Cryptographic Checksum 37: 16 -----1-- Ciphering 37: 16 ---10--- Process if counter is higher 38: 01 00000001 PoR : 0x01 38: 01 ------01 PoR required to be send to sending entity 38: 01 ----00-- No RC/CC/DS applied to PoR 38: 01 ---0---- PoR via SMS-Deliver-Report 39: 25 00100101 KIc: 0x25 39: 25 ------01 DES 39: 25 ----01-- 3DES-outer-CBC 2 different Keys 39: 25 XXX----- Key Number: 02 40: 25 00100101 KId: 0x25 40: 25 ------01 DES 40: 25 ----01-- 3DES-outer-CBC 2 different Keys 40: 25 XXX----- Key Number: 01 41: b0 -------- Toolkit Application Reference (TAR): 0xB0 0x00 0x00 44: 9c -------- Counter (CNTR): 0x9C 0xFC 0xFD 0xAC 0x17 49: 3b 00111011 3B 50: 88 10001000 88 51: 95 10010101 95 52: 68 01101000 68 53: a3 10100011 A3 54: 4f 01001111 4F 55: 6e 01101110 6E 56: 7f 01111111 7F 57: 23 00100011 23
000: 09 01 89 01 01 07 91 44 - 97 85 78 89 18 00 7d 44 001: 05 81 23 11 f2 7f f6 80 - 30 01 71 93 83 00 6d 02 002: 70 00 00 68 15 16 01 25 - 25 b0 00 10 7c dd 91 2b 003: a9 66 89 a1 d8 7d f1 0d - 3a 4b 61 55 b3 4f 77 27 004: 35 8f b7 82 b3 83 4d c1 - c1 6c 18 f0 07 0d e4 7d 005: d3 4e 3d c6 5f 59 cc 78 - 07 88 24 66 44 47 3a 47 006: 04 cf da 21 bb b2 7a 35 - 2c 0d 3c d6 03 bc 1c fa 007: a4 e6 71 50 60 a4 1e 87 - 12 5c 3a e7 63 a0 4a d0 008: df 9d 99 6b 4d e2 75 c7 - 96 9b 56 ed 0: 09 0------- Direction: From originating site 0: 09 -000---- 0 TransactionID 0: 09 ----1001 SMS messages 1: 01 00000001 Type: CP-DATA 2: 89 10001001 Length: 137 3: 01 00000--- reserved 3: 01 -----001 Message Type Indicator(MTI): RP-DATA (network->ms) 4: 01 00000001 Message Reference: 1 5: 07 00000111 SMSC Address Length: 7 6: 91 1------- Extension 6: 91 -001---- International Number 6: 91 ----0001 Numbering plan: ISDN/telephone (E164/E.163) 7: 44 -------- Number(6): 447958879881 13: 00 00000000 Destination Address Length: 0 15: 44 ------00 TP-MTI: SMS-DELIVER (->MS) or SMS-DELIVER-REPORT (->SC) 15: 44 -----1-- More Messages (TP-MMS): No 15: 44 --0----- Status Report Indication (TP-SRI) 15: 44 -1------ User Data Header Indicator (TP-UDHI): Yes 15: 44 0------- Reply Path (TP-RP) 16: 05 00000101 Originating (TP-OA) Address Length: 5 17: 81 1------- Extension 17: 81 -000---- Unknown Number Type 17: 81 ----0001 Numbering plan: ISDN/telephone (E164/E.163) 18: 23 -------- Number(5): 32112 21: 7f 01111111 Protocol Identifier: 0x7F 21: 7f 01111111 SIM Data download 22: f6 1111---- Data Coding/Message Class 22: f6 ----0--- reserved 22: f6 -----1-- Message coding: 8 bit 22: f6 ------10 Message Class: Class 2: SIM specific message 23: 80 -------- SMSC Timestamp: 08-03-10 17:39:38 (TZ 00) 30: 6d 01101101 User Data Length (TP-UDL): 109 symbols 31: 02 00000010 User Data Header Length: 2 octets 32: 70 01110000 SIM Toolkit Security Header HEX cpData:2276 Format Sim Data Download 000: 00 68 15 16 01 25 25 b0 - 00 10 7c dd 91 2b a9 66 001: 89 a1 d8 7d f1 0d 3a 4b - 61 55 b3 4f 77 27 35 8f 002: b7 82 b3 83 4d c1 c1 6c - 18 f0 07 0d e4 7d d3 4e 003: 3d c6 5f 59 cc 78 07 88 - 24 66 44 47 3a 47 04 cf 004: da 21 bb b2 7a 35 2c 0d - 3c d6 03 bc 1c fa a4 e6 005: 71 50 60 a4 1e 87 12 5c - 3a e7 63 a0 4a d0 df 9d 006: 99 6b 4d e2 75 c7 96 9b - 56 ed 34: 00 -------- Length of CPL: 0x0068 (104) 36: 15 -------- Command Header Length: 0x15 (21) 37: 16 00010110 SPI : 0x16 37: 16 ------10 Cryptographic Checksum 37: 16 -----1-- Ciphering 37: 16 ---10--- Process if counter is higher 38: 01 00000001 PoR : 0x01 38: 01 ------01 PoR required to be send to sending entity 38: 01 ----00-- No RC/CC/DS applied to PoR 38: 01 ---0---- PoR via SMS-Deliver-Report 39: 25 00100101 KIc: 0x25 39: 25 ------01 DES 39: 25 ----01-- 3DES-outer-CBC 2 different Keys 39: 25 XXX----- Key Number: 02 40: 25 00100101 KId: 0x25 40: 25 ------01 DES 40: 25 ----01-- 3DES-outer-CBC 2 different Keys 40: 25 XXX----- Key Number: 01 41: b0 -------- Toolkit Application Reference (TAR): 0xB0 0x00 0x10 44: 7c -------- Counter (CNTR): 0x7C 0xDD 0x91 0x2B 0xA9 49: 66 01100110 66 50: 89 10001001 89 51: a1 10100001 A1 52: d8 11011000 D8 53: 7d 01111101 7D 54: f1 11110001 F1 55: 0d 00001101 0D 56: 3a 00111010 3A 57: 4b 01001011 4B
- Question: What is TAR 0xb0 00 10
7. How do they do it
7.1. Remotely installing software on your SIM
The Mobile Operator is using the Over The Air (OTA) mechanism to send binary java applets via sms (several kilo bytes) to the SIM. These applets are installed secretly without the user knowing, but this depends on the handset.
The java applets has access to GSM functionality and the Mobile Phone itself. The details of the interface are defined in GSM 11.11 and 11.14.
7.2. Intercepting your voice calls
It is possible to install a java applet remotely on the sim card that intercepts all voice calls. This enabled an attacker to listen to any voice call the user makes or receives without ever having to touch the target phone. ANON: not really.
This is done via OTA and a binary installation of a java applet. The applet has a powerful interface to the Mobile Equipment and GSM modem. ANON: not really.
- SMS-PP Data Download (GSM 11.14 7.1): MS can install binary on SIM remotely. user is not notified.
- Call Control (GSM 11.14 4.5): Any outgoing call request is first passed to sim. Sim can modify this call request. This can be used to listen to mobile subscribers: Any time a call is made initiate a conference call to original number and your own mobile.
- Security Mechanisms (GSM 03.48): Security Mechanisms for the SIM applicaton toolkit
The same technique can be used to track your location, sniff your sms and call log files.
7.3. Genion Home Zone Update
Gamma, explain here.
Gamma, example gsm-decoded packet dump here
7.4. esizkur's Credit Update
esizkur, you said you are receiving OTA messages from your operator telling you how much credit is left on your account. Can you explain here what operator? Can you upload a trace/dump of the information? (e.g. using a nokia 3310 trace mobile, a seasoner or a bladox card).
emx: Prepaid credit update messages are often sent using USSD (http://en.wikipedia.org/wiki/USSD) - not a SIM OTA message.
VLP: Czech provider Eurotel (now part of O2 group) used this for his prepaid cards. I used to have a log of such message as it was sent to the SIM card. It contained some APDU commands for the SIM. Now they offer USSD to query credit value.
7.5. Riscures GSM hack
In The Paris Press Release Riscure demonstrates how a SIM can be controlled remotely. They loaded the Ki from a real SIM onto a programmable SIM. They then installed the backdoor manually onto the SIM and controlled it remotely via SMS.
- Where to buy a programmable SIM that supports the A5/1 etc algorithm? Or can we program this all in software/applet?
(by Laforge): A5/1 is the algorithm used on-air. It is implemented inside the digital baseband chipset of your phone, not the SIM card. A3/A8 is implemented in the card.
7.6. Mobile Locate
There are several companies in the Uk that offer to locate a mobile phone. This service is aimed at parents to track their children or empoyers to track their employees.
I tested http://www.mobilelocate.co.uk. After receiving my login and password by post I was able to add any phone number to my account. The target phone received a SMS with a 5 digit password (brute force attack?). The target had to reply via SMS with this code to enable tracking of his mobile phone.
I was able to track the target phone with 500-5000m precision. Whenever I clicked 'locate phone' on the web interface the following happened:
- The BTS requested a dedicated channel (Paging Request, Auth Request (RAND), Auth Response (SRES), Channel Assignment)
- BTS instantly issued a 'Channel Release'.
No SMS was send to the MS. This means the company has a peering agreement with all Mobile Operators and access to the Mobile Operator's private Location Information of _any_ customer.
Question: Are 5 digits pins secure enough? Can it be brute forced?
Question: Privacy problem if such a company has full access to anyones location information. Last time I signed a Mobile Operator contract it did not say that they are giving out my Location Information to other commercial driven companies.
8.1. Bladox APDU logger
Motivation: Learn more about what messages and applications the Mobile Operator sends to the phone. Are they all protected? Which one can be forged? Which one are propriatary?
Using a Bladox Turbo Sim. Write a bladox app that logs all APDU commands send from the ME to the SIM. Goal is to find out what kind of messages and application the operator sends to the phone.
If there is not enough storage on the bladox card itself then a symbian app could poll the data every 60 seconds from the bladox card and store it on a mmc.
(VLP: If I understand well, you want to monitor communication between the ME(phone) and SIM card. I used to have such device, but I haven't used it for a long time. If I remerber well, it was simple serial logger to RS232 + simple sw for PC)
8.2. How is an applet authenticated
Gamma, can you explain here? what standard? What format? What keys?
From Gemplus: The Java Card applets do not directly receive the incoming messages. These are first processed by the Java Card Runtime Environment (JCRE), which calls upon a method of the applet to process the APDU commands.
The Java Card Virtual Machine (JCVM) controls access to all smart card resources, such as memory and I/O and allows applications to be securely loaded to the card post-issuance.
See Card Manager description below of how a OTA sms is authenticated.
8.3. Using the mobile as listening Device
There is this rumor that the police can turn on a mobile and use it as a listening device even if the mobile is switched off. Can we verify this? Could use USRP to sniff if the MS actually sends data even if the phone is switched off.
No doubt this can be done when the phone is switched on and idle: Just upload a java applet that initiates a silent call.
- In the news: Several Australian newspapers reported (search yourself) how a customised firmware was uploaded using standard GSM proto. onto the handset of a Organised Crime suspect. The modifications allowed the SoC, including RF / onboard storage, etc. to be operated independently from the handset's User Interface, i.e. "Off" when "On". The built-in microphone was used as an interrupt trigger to wake the CPU (Arm, I'm guessing) and record the conversation to Flash, without appearing to be operational, and without making a peep on the GSM band.
The audio data was able to be downloaded during normal phone operational times, and the use of compression (possibly high-qual. ADPCM since realtime bandwidth was not a problem + ADPCM is CPU cheap.) allowed vast amounts of intelligence to be collected.
The interviewed police rep. commented that the "hack" was particular to the make and model of the handset, but could potentially be implemented in any modern mobile handset. The particular handset was unidentified, but it's storage capacity was "helpful" in designing the attack. It was noted that legally this mostly fell under "surveillance" rather than wiretapping/interception, since the recording was done on the target handset itself as a "surveillance device", i.e. out-of-band in terms of telecommunications.
In this case, the telecommunications network was used as the Vector for transmission of the surveillance malware, and as an out-of-band communication backend for transfer of audio recorded / tagged. Using this model, You can imagine that many recordings could be pre-filtered or prioritised based upon GPS location / time of day / vocal stress-levels / phone-camera pattern recognition / etc. Basically any advanced functionality that any modern SoC DSP can make available.
Apparently it is customary to remove batteries in Org. Crime anyhow, but this guy was cocky. With new phones w/ low-power SoC + SuperCaps, this is likely a mistake also.
While not exactly the same thing, Endoacoustica's site provides some information on a specifically configured spy phone that can monitor even when powered off (already done with off-the-shelf handsets - see above) - http://www.endoacustica.com/details_gsm-interceptor_en.htm - Probably this symbian application just fakes the shutdown and phone is not really off.
8.4. Extracting applets
- Can we dump all existing applets from the card? Let's find out what's installed on a SIM by default and what it's used for.
- Can we dump the Card Manager applet from the SIM and convert it back to java code and do a code audit on it?
8.5. OTA SMS
From Global Platform Specs 2.0.1: Selecting the application (SELECT command) never requires the use of a Secure Channel.
Retrieving basic card and/or issue information (GET DATA) never requires the use of a Secure Channel.
Can we send an OTA SMS that does a GET DATA request and receive the answer via reply-SMS?
9. Dev Tools
The easiest way to send APDU commands to the sim is with a sim card reader. It's also possible to use the AT-command interface on a mobile phone to access the sim. This is done via the AT+CSIM command. This command is not available on most phones (but it's available on the iPhone!).
AT+CSIM=14,"A0A40000023F00" (select master file) AT+CSIM=14,"A0A40000027F10" (select DF Telecom) AT+CSIM=42,"F0E000001000246F110C030A02001B1B1B1B1B1B1B" (create an EF with ID 6F11) AT+CSIM=26,"A02000010831323334FFFFFFFF" (enter pincode 1234)
Same as CSIM but supposedly easier, there is the AT+CRSM command.
Restricted SIM access +CRSM= command [,fileid [,P1 ,P2 ,P3 [,data]]] command: 176: read binary 178: read record 192: get response 214: update binary 220: update record 242: status
9.3. Bladox Turbo Sim
http://www.bladox.com A add-on chip to an existing sim card. Enables anyone to write SIM toolkit apps and load them onto the TurboSim. This means we can do sim toolkit app testing in the phone without knowing the operator's key for uploading java applets to a real sim card.
- Free compiler toolchain available. Not java but C compiled.
- The card is programmed and accessed via AT commands
Javacard / SIM Toolkit
Free Eval version is available from http://www.gemplus.com/products/gemxplore_developer/. Also forum and examples are available (NEW!). The eval version is emulator only and does not work directly on the sim.
TODO: Need Full version (anyone?)
Gemplus released really good STK (Sim Tool Kit) examples.
9.5. On-Card Debugger
Some Tips by gemalto how to output debug information back to the host PC from a live SIM.
9.6. Smart Card Tool Set
For windows. Smart Card software to explore file system and send APDUs. Free trial version (can send up to 10 APDUs at once). Full version cost 60 EUR.
10. Sending binary SMS
10.1. Using your Modem & EasyOTA
FIXME: Will be explained later.
10.2. Using providers
Some SMS gateways (clickatell.com) support sending binary sms. It's possible to cut & paste the raw binary SMS including all headers through the web interface.
- List of the software and tools we used for our research.
- Why did we fail to install a binary java applet via SIM card reader? Does this already require a key?
- Can we set the CNTR to 0xfff..fff (max value) so that the SIM can no longer receive OTA messages?
- When a sim connects to a server for gprs connection it authorizes it( phone no. balance details, imei no.,......).... if i can configure my sim to some other number(gprs activated no.) can i get connected???
12.1. Random Quotes
12.1.1. Security Interface proriatory
GSM 03.48: Under normal circumstances the Receiving Entity receives the Command Packet and unpacks it according to the security parameters indicated in the Command Header. The Receiving Entity subsequently forwards the Application Message to the Receiving Application indicating to the Receiving Application the security that was applied. The interface between the Sending Application and Sending Entity and the interface between the Receiving Entity and Receiving Application are proprietary and therefore outside the scope of the present document.
- Proprietary means not implemented?
- This means the receiving application on the SIM might not know if the applet was signed or not.
12.1.2. Security requires further studies
GSM 03.48: A.2.2 Mutual authentication - This topic is for further study.
easyota-1.2.4.rar - Create fully SMS-PP Download compliant SMS.
PDUSpy - Create custom SMS / PDU's.
HushSMS for sending all kind of different SMS binaries.
http://www.3gpp.org/ftp/Specs/archive/ - GSM / 3GPP Specifications
http://www.riscure.com/ - Professional Smart Card Pen Testing
Forensics and Sim Cards: an Overview - (pdf, Fall 2006 -- utica.edu)
12.4. Useful Standards
ISO 7816: "Identitification Cards - Integrated Circuits Card with Contacts" http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816.aspx
- GSM 11.14: Specification of the SIM Application Toolkit for the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface
- GSM 03.40: Technical realization of the Short Message Service (SMS) Point-to-Point (PP)
- GSM 03.19: GSM API for SIM toolkit stage 2
- GSM 02.48: Security Mechanisms for the SIM application toolkit; Stage 1
- GSM 03.48: Security Mechanisms for the SIM application toolkit; Stage 2
3GPP TS 23.048: Security mechanisms for the (U)SIM application toolkit
- ETSI TS 103 225: Secured packet structure for UICC based applications
- ETSI TS 102 226: Remote APDU Structure for UICC based applications
- ETSI TS 101 180: Security mechanisms for the SIM Application Toolkit
3GPP TS 43.019: Subscriber Identity Module Application Programming Interface (SIM API) for Java Card Stage 2
3GPP TS 31.130: (U)SIM Application Programming Interface; (U)SIM API for Java Card
3GPP TS 31.102: Characteristics of the Universal Subscriber Identity Module (USIM) application
3GPP TS 31.115: Secured packet structure for (U)SIM Toolkit applications
3GPP TS 31.116: Remote APDU Structure for USIM Toolkit applications
3GPP TS 31.111: USIM Application Toolkit (USAT)
12.6. Open Platform
Link: http://www.globalplatform.org Specifies standards for smart cards in general. The Java Card and the SIM card is one (out of many) implementation of the Global Platform Specification for Smart Cards.
- Docs of how to upgrade public CA key on SIM card (PUT KEY)
- APDU extensions.
- detailed APDU encoding (bit level)