[Community] SIM (in)security

kardan kardan at riseup.net
Mon Feb 24 03:13:41 CET 2014


I just listened to CRE 179[1] (chaosradio express)  and
learned some new things regarding insecurity of phones. After I got
through, I decided to hear it again to at least get the basic facts.
As this podcast is in german, I added a transcript below.

I don't know why I missed it so far in previous discussions, but
somehow it did not stick to my mind enough.

The bottom line is: Besides the aplication processor (which gta claims
to control) and the baseband processor (which gta does not intend to
control) we also have the sim card as a fully capable processor to run
It does what it wants or what it is remotely told to do. Basically
anybody with proper equipment could drive by and distribute and install
fancy SIM applications without users being asked or noticed.

Ok, this is known since years, but what is the plan? Where to get sim
cards from, that we are able to control?

The interesting part of the discussion is at 1:43:00: phone
manufactures could offer real security by replacing/disabling SIM
features to limit SIM capabilities to just a store a secret key.
It looks like it is not possible to control existing SIM cards from
the application / baseband processor, but we could develop dumpcards
or at least SIM cards with stripped down feature sets.

I searched the openmoko wiki, which had nothing on this topic[2], only
two pages on the modem. Please share your knowledge!


[1] http://cre.fm/cre179-gsm-security
[2] http://wiki.openmoko.org/wiki/Special:Search?search=SIM&go=Go

< http://wiki.openmoko.org/wiki/Open_GSM_modem
GSM works so well because the towers are carefully planned. They are
designed so they don't interfere with each other. If nobody does
anything bad, this all 'just works'.
< http://wiki.openmoko.org/wiki/Osmocom_on_TI_Calypso
The Free Software / Open Source Osmocom firmware has been ported/made
for the TI Calypso GSM/GPRS modem. The TI Calypso, is among others,
used in Neo 1973 and Neo FreeRunner.
However, if someone wrote a 'free local data' transmitter, which simply
used the modem to send direct to another modem, it would jam a GSM
channel. If you are not much further away from the tower than people
making phone-calls, then your signal strength will be strong enough to
knock 8-16 phone users off the channel. 

< 4/2011 CRE179 GSM security - Karsten Nohl cre.fm/cre179-gsm-security
5:30 rainbow tables available since 2009
8:00 crypto relevant parts: 1) phone 2) base station 3) HLA/VLA
9:30 KI: one secret key per standard and phone
ideally for every call the KI is used to create a session key
10:00 session key transmitted to base station after basic authenication
12:00 A51 uses session key (second worst) - intended to be weak
12:30 A52 exportable "encryption" key (worst) incompatible w/ new phones
13:30 if phone and station have no algo in common, no encryption is used
15:00 current base station don't support A53/4
15:30 A53 needs new hardware
16:00 gsm vendors: Nokia, Siemens, Ericsson, Huawai, Alcatel
16:30 upgrade costs per station: >X0.000.000 €
17:00 grass root gsm exist, but they lack frequencies
17:30 company openBTS aims to upgrade and open source gsm infrastructure
18:30 operators usually have millions of customers
19:00 previos editions on GSM
* 4/2009 CRE120 openBSC - Harald Welte - http://cre.fm/cre120-openbsc
* 2/2009 CRE110 IP based mobile communication -
* 5/2008 CRE87 Harald Welte http://cre.fm/cre087-software-defined-radio
* 12/2007 CRE56 GSM hacking - http://cre.fm/cre056-gsm-hacking
* CRE40 GSM history - http://cre.fm/cre040-digitale-telefonnetze
19:30 base station software quite instable as Harald Welt found out
during researches on open source phones
21:00 many critical infrastructure depend on availability of gsm
21:30 fleet management, smart grid, railroad (Deutsche Bahn)
22:00 UMTS (more secure) far less available than GSM
22:30 high risk
23:30 every base station is breakable with one phone 
24:00 DEEPSEC: protocol enables phones to reserve all frequencies
25:00 base stations need multiple minutes to reboot
25:30 and are still prone to the same attack
26:00 locating this phone is quite hard
26:30 no one really tried to exploit that yet
27:30 microsoft faced calls as critical system used globally
29:00 no similar available net as GSM and it cannot be turned of
29:30 thoughts on risks in analogy to nuclear power "mobile tsunami"
31:30 internet shows risks by bored teens (DDOS attacks)
33:00 talks on security risks are only internally held by few players
35:30 security aware operators are dependent on hardware infrastructure
36:00 continuous pressure is needed to organize a shift
37:00 even GSMAA (lobby of 620 operators) is unable to enforce security
37:30 security is usually only understood as "who can install bad apps"
38:00 network operators see themselves as ISP and not responsible
http://en.wikipedia.org/wiki/List_of_mobile_network_operators - germany:
* http://en.wikipedia.org/wiki/Vodafone
* http://en.wikipedia.org/wiki/T-Mobile
* http://en.wikipedia.org/wiki/Telef%C3%B3nica
* The largest multi-country MVNO, Lycamobile, operates in 17 countries
39:00 war driving is possible for "everybody" today
39:30 also UMTS phones switch back to GSM without notice
40:30 UMTS is not scalable for whole countries as cells are smaller
42:00 lawful interception and private survaillance
48:00 providers are not able to upgrade the hardware
49:00 further investigations in security risks would raise the need
50:00 it's a political question to ask "who owns and runs the net"
50:30 unprotected critical hardware needs to grow towars security
51:30 GSM was never built as backbone for industry automation
53:00 need for public knowledge about risks of unencrypted GSM streams 
54:30 SMS is falsely appreciated as private and used for contracts
55:00 SMS catching and decryption is only locally possibly
59:30 on call start every phone sends known protocols (handshake)
1:00: low hanging fruits not applied as new developments go into LTE
1:01: 1) use of random numbers for fill bits
1:03: 2) use of session keys
1:04: only when the key is known, the frequency is exchanged
1:05: possible attackers need millions to catch all frequencies
1:06: phones change their identity daily, IMEI is encrypted
1:08:00 changing only one bit per call would bring a lot
of security
1:08:30 Tobias Engel: tracking of phones via the internet (2004)
1:10:00 3) to address SMS the phone location is leaked
1:11:30 4) HLA
1:12:00 identity fraud based on insecure A51
The ESN or MEID is typically transmitted to the cellular company's
Mobile Telephone Switching Office (MTSO) in order to authenticate a
device onto the mobile network. Modifying these, as well as the phone's
Preferred Roaming List (PRL) and the mobile identification number, or
MIN, can pave the way for fraudulent calls, as the target telephone is
now a clone of the telephone from which the original ESN and MIN data
were obtained.
< http://en.wikipedia.org/wiki/SIM_card#SIM_and_carriers
In July 2013, it was revealed that Karsten Nohl, a cryptographer and
security researcher from SR Labs,[16][17] had discovered
vulnerabilities in some SIM cards that enabled them to be hacked to
provide root access.[18] The cards affected use the Data Encryption
Standard (DES) which, despite its age, is still used by some
operators.[18] Cards using the more recent Advanced Encryption Standard
(AES) or Triple DES standards are not affected.[18] Among other risks,
the hack could lead to the phone being remotely cloned or allow payment
credentials from the SIM to be stolen.[18] Further details of the
research are being given at BlackHat on July 31.[18][19]
In response, the International Telecommunication Union said that the
development was "hugely significant" and that it would be contacting
its members.[20]
[16] Hacker sollen Kreditkarten freirubbeln
[17] Encryption Bug in SIM Card Can be Used to Hack Millions of Phones,
published 2013-07-21
[18] Rooting SIM cards, SR Labs, accessed 2013-07-22
[19] BlackHat http://www.blackhat.com/us-13/briefings.html#Nohl
[20] UPDATE 1-UN warns on mobile cybersecurity bugs in bid to prevent
attacks, Reuters, 2013-07-21
1:13:00 attacker talks to phone and base station at the same
1:13:30 IMSI catcher only talk to the phone and break A51
1:16:00 after the key is broken, it communicates with the station
1:16:30 in africa mobile communication was always treated as insecure
1:17:30 SIM card based banks that install special applications
1:18:30 every SIM card enables to remotely install software silently
1:19:00 SIM card applications: route planner, paypal, etc.
1:19:30 installation over the air (OTA)
1:21:00 all nets install their apps from baseband and application
processors and can access the phone book
1:22:30 GUI interface is mandatory for phones
Updating Android Software is done over the GSM where the SIM Toolkit
may install automatically with new software regardless of automatic
install applications. Applications and menus stored on the SIM can be
difficult after the customer takes delivery of the SIM and sometimes
may be recognized as Surveillance Software.. To deliver updates, either
the SIM must be returned and exchanged for a new one (which can be
costly and inconvenient) or the application updates must delivered
over-the-air (OTA) using specialized, optional SIM features. Mobile
Network Operators can now (as of October 2010), for example, deliver
updated STK application menus by sending a secure SMS to handsets that
include a SIMalliance Toolbox (S at T) compliant wireless internet browser
1:24:00 sim cards can start phone calls or send SMS without knowledge
1:25:00 + it is remotely administerable
1:25:30 is your network operators trusted enough? 1) to not be evil 
1:26:00 2) to be secure that nobody else can exploit it
1:26:30 1:27:00 applications are writte in java smart card edition
1:29:00 examples on evil operators in Dhubai
1:30:00 using GSM is generally insecure
1:30:30 virtual exploit to install software as "Telekom"
1:31:00 no authentication for calls, but for installation - how strong?
1:31:30 many SIM OS stacks without auditing - time bomb
1:34:00 GSM puts every user in danger even without using it for calling
1:36:00 call to read intel 8051 code to re-engineer SIM cards
1:40:00 Apple cannot protect you from spyware, only network operators
1:41:00 there could be a market for operators offering monitoring
1:42:00 future SIM card features could be replaced by OS software
1:43:00 phone manufactures could offer real security by replacing SIM
1:44:30 baseband processors are not designed to be extensible
1:47:00 activating auto-answer mode + number filter turns phone in a bug
1:51:30 what can we do?
1:52:00 the same what helped for computers.
1:52:30 computers users became aware of the issue and throw MS away
1:53:00 but for GSM many are not aware yet or see no solution
1:54:00 osmocomBB created by Harald Welte (see link above)
1:55:00 only two baseband vendors: Qualcomm + TI
1:55:30 accidently the source for an older TI model got leaked
1:56:30 since 2009 we are able to see and control all GSM traffic
1:57:30 by GSM testing it is quite easy to crash base stations
1:59:00 testing of new models works this way to get GSM certificate
2:00:00 analogy: in the past apple denied bug fixing based on bugs in
their other applications (here Quark..)
2:00:30 testing and applying above proposed five fixes is done slowly
2:01:00 the GSM standards has security problems in itself
2:03:00 GSM was never designed to be so successfull
2:06:00 dependency on GSM despite low security is similar nuclear power
2:06:30 until 25% of the users/business contractors change their mind ..
2:07:00 many (germany) customers have the wish, also whole countries
2:08:00 re-engineering old base stations is another way
2:08:30 make it so!

More information about the Community mailing list