Top Posts Tagged with #simtrace

Popular Recent

SIM Card Research

Tools

Smart Card Reader

SIM Card Reader

Osmocom SIMtrace 2 (software)

Osmocom PySim-Shell

SIMtrace Hardware Kit

Tactics

SIM research is broken down into three areas. The enumeration of the applets hosted in the SIM card, analyzing their behavior, and injecting a malicious applet.

Application Enumeration

There are two types of programs that run on a SIM card. First level applications are like the card's OS or a major component. These include USIM/ISIM, GSM, and Remote File Application. Second level applications are referred to as "applets" and include things such as micro internet browsers.

First level applications can be enumerated by the presence of an ADF (Application Dedicated File) directory. These are generally either only USIM, or USIM and ISIM together.

Second level applications can be enumerated by the messages sent to them via SMS via their TAR numbers. These TAR numbers are only 20bits and thus could be scanned, but I haven't seen a tool that does this....yet.

I don't believe second level applications have endpoints that reside on the SIM card filesystem.

Applet Behavior Analysis

SIM cards attack vectors include

Locally using the phone hardware to interact with the applets

Remotely via SMS

Adjacted via NFC

Local Interaction

A demonstration of an interactive applet behavior captured using SIMtrace.

The GSM Technical Specification referenced in this video can be found at https://www.etsi.org/deliver/etsi_gts/11/1111/05.03.00_60/gsmts_1111v050300p.pdf

SMS communication

SMS messages have four classes

Class 0 is displayed on the mobile screen without being saved. Known as a "Flash SMS", this class is often used for Emergency notifications such as floods, and Amber alerts.

Class 1 messages are stored in device memory or the SIM card. I feel I need to look into these a bit more

Class 2 messages carry SIM card data and must be transferred to the SIM card before sending an acknowledgement

Class 3 is forwarded from the receiving entity to the external device (the phone). This is the typical SMS texts people think of.

Class 1 and 2 messages can be sent to and from the sim card without the user's knowledge <;need to confirm>.

Each applet has one or more TAR (Toolkit Application Reference) values, which can be found in the Command Packet (SM) of the SMS User Data (TP-UD). Additionally, the SPI (Security Parameter Indicator) value is important as it specifies in any encryption (either non, DES, or 3DES) or digital signatures are used. Though encryption could be implemented in the applet and not the (U)SIM application.

If an applet requires signed communications, it may still be worth messaging that applet as it may reply with an error message, and that error message may be signed with the key you need to crack. Both DES and 3DES keys (with 1, 2,or 3 keys can be cracked if the app is vulnerable to a downgrade attack).

The following video has more details about attacking the SMS keys.

This blog post demonstrates using a SIMtrace to uncover SMS communications of an applet.

Welcome to the magical world of proactive SIMs.

Two attacks (SIMjacker and WIBattack) used OTA SMS messages to attacks the browser in the SIM card. (See techniques below.)

Additionally, SMS messages can be sent via VOIP, and are perhaps easier to collect, if the phone can be forced to use that option.

NFC communication

NFC can communicate directly to the SIM card via Single Wire Protocol

Injecting Malicious Applets

A brief introduction of Security Domains

Typical a sim card's Issuer Security Domain is responsible for authorizing applets being loaded, usually preventing it. But cracking the keys used in the OTA SMS messages could lead to getting the KI key which all other keys are generated from, and being able to sign an applet that would get installed.

Techniques

SMS attack vector

SMS Fuzzing to discover SIM vulnerabilities

SIMjacker

SIM and SMS Basics

OTA messages

SIM Tester

Exploitation

An article covering the basics of WIBattack

Projects

Create a tool that enumerates a SIM card for applets via the 20bit TAR value and check for responses or errors.

Additional Resources

SIM Cards Demystified

Java Card Development Kit

GlobalPlatform (GPshell)

simhacks and Defcon 21 - The Secret Life of SIM Cards

SIM card emulator for Android

OsmoDevCall - Advanced SIM card topics

Interoperability Stepping Stones

Technical Specifications

Security mechanisms for the (U)SIM application toolkit

#sim cards #smart cards #simtrace #Youtube #technology

•18+ Adults Only

Watch Anya Live on Cam

Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.

✓ Live Streaming✓ Interactive Chat✓ Private Shows✓ HD Quality

Anya is LIVE right now

FREE

Free to watch • No registration required • HD streaming