Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Atac asupra SIM Toolkit
Bogdan Alecu — http: ([www. m—sec‘net

r—— '-— 0
Mobile
: J.2Jmp

_/ 

Push Sum from ham tc detach...
Atac asupra SIM Toolkit

Bogdan Alecu — http: [/www. m—sec. net

   

Push SIM from back to detach.
ft” " if

A: »‘: a-C ai. :U, p ran L,  l M l «:2 <3 l. l/M: 
A Bogdan Alecu — http: [[www. m-

l’[. .,'l -3, -
JI ' &‘. ,
...
VA SMS — Short Message Service reprezinta un mod de
“ comunicare prin mesaje text intre telefoanele mobile / 

fixe,  utili...
“Un dispozitiv mobil activ trebuie sa fie capabil de a
primi un mesaj scurt de tipul TPDU — Transfer
protocol data unit — (...
omen) ,  Desuipfinn

00 Info Ibvul smsc — but me lrnglh u 0. which mum am the
SMSC slated in the plume should be used
rm.  ...
l Octet(s) I Description

0 0 about SMSC - here the length is 0, which means that the
SMSC stored in the phone should be u...
Pentru a trimite mesajul folosind comenzi AT prin
modem GSM,  trebuiesc facuti urmatorii pasi: 

a) Setare modem in mod PD...
.<. a¢. -:; isis¢«Ir: u7(: ;s. r u-gains. -ecacgsa. -.g~u. u;_, cum: -,. ngsnurauq-t1.su. si-ieayyfie. (ao-usanzirg, u.’t: ...
User Data Header contine octeti ce sunt adaugati la inceputul
componentei User Data.  Prin UDH se pot crea servicii cu val...
I-1eader—ul SIM Toolkit Security

Sunt 2 tipuri de comenzi de securitate: 

— Pachetul comanda — pachet trimis de catre ex...
ll Ll lC DI IVI
| uence Integrity counter
imber of padding octets used for ciphering at t

SMS_SUBMlT SMS_SUBM| T

Mandato...
Command Packet

 

N UDHL IEIa IEDLa CPL PCNTR RC/ CC/ DS Secure Data

m/ 

: ngth (CPL) — shall indicate the number of oc...
Command Packet

RC/ CC/ DS Secure Data

 

Command Packet Length (CPL) - shall indicate the number of octets from and incl...
Gcnullo G<ml‘C 1vln mam pentru a men
infurmatiile dz pt canela sm
_ swrmro mm Pytfson pmIruc'nlIu"fisi: rdor' dz 4
‘ ‘ P!  ...
U l“ I l’Zl_TlE
Fr} l_Ct3 lrlfli
PDUspy — pentru 0 mai buna intelegere a mesajelor

primite si pentru a—rni construi propriul mesaj

(disponibila la http: ...
get PDU |  Decode ] PDU settings] create PDU ] UDH I ] UDH ll ] Misc.  options ]

manual mode

l
 glecodeI Dasle I glee!  ...
Nokia 3310 cu cablu F-BUS USB — cumparat de
pe E—Bay

"1
I
'~. - ~'
, ..-$7; 
L.  
.  “ ll
.  .7 )
].  dct3tap utilitar in linie de comanda (Linux) pentru a I
/ is It captura traficul de pe interfata radio GSM si actiunile...
Wireshark versiunea I.6.0.rc2 compilat impreuna cu patch—ul
GSMTAP si SIMCARD pentru a decoda traficul GSM si accesul Ia S...
Gemalto GemPC Twin cititor pentru a accesa
informatiile de pe cartela SIM

SIMinfo script Python pentru citirea "fisierelor...
Cum functioneaza? 

         

In prilmll rilnd ssts irlrportant Ctl SlM—tll sa itilm Um-mm not-mnme mt-uxrdml-min -I M
, ...
In primul rand este important ca SIM—ul sa aiba
serviciul “data download via SMS Point—to—Point"
alocat si activ.  Totodat...
I speak
IM Toolkit
I wait tor your
instructions

   
   
 

SIM Application Toolkit asigura Servicii cu Valoare
Adaugata (...
I speak
SIM Toolkit

wait for your
instructions
SIM Application Toolkit asigura Servicii cu Valoare
Adaugata (VAS) pentru operatori.  In principiu
reprezinta un set de co...
rile-leaded @
eempiuseemvc Twin oooo

38 9F 95 80 1F C3 80 31 A0 73 BE 21
card ATR 

_
—
 
E 
—
 —
 —
 —
—
—

-22201 —
- 2...
Frle Edit View Search Terminal Help

t| 'Epl’t55Ub| .ll'| lUI‘$ cd simreaderr
trepxiilubunturxlsimreaoers . /sl. rIrnfo. p...
ubll I l Jul lLLlUI lCClLCl. 

Tipul de mesaj trimis este adresat direct cartelei SIM,  prin setarea PID la valoarea
ox7F,...
Daca ne uitam la comanda de securitate dinheader-ul SMS, 
una din componente este Security Parameter Indicator (SPI). 
SPI...
2 octeti cu urmatoarea structura: 

 

St-culltl B) to:
*5 ~. ' *: a‘: ,y"

*": :-‘iv
Vulnerabilitatea exista datorita celui de-al 2lea byte:  aici se poate
seta modul in care este transmisa dovada receptiona...
1 u — - vs -’i_. u:-mai! -"-’t"r'_'-A‘ r}iA-Aim yjauniu v- g1g1m. _1'. '.| ;« :51 , .. . ‘l(: ’)r= «-1 , . clejbrgoi "I31-...
72 5.236172
73 5.252207
74 5.273137
75 5.385258
76 5.425265

127.9.9.]127.6.8.1
127.0.0.]127.0.9.1
127.9.9.]127.0.8.1
127....
- Iv--1: :4)»--~ In-rA= L:r_4s~ VLM-A-m 'V_¥A| Il'h'7'! $f1': Is11')1#-:0!) _ . ‘l(: )‘n= -,,  .-«ea-= r.4(-rm-J -L1.'. g~...
Qt:  l. ’.5': -305!) l. ".L (7.. ‘l£7.L. Lul uS"1TA)’ 75- 33"‘ VEPMINLL 7~‘. f'_. ."ONEE SEHLI SHOP. ) ’-1E'. »f: »‘-. LzE...
26312.S53036127.0.0.1127.0.0.1GSMTAP 7S GSM TERMINAL RESPONSE SEND SHORT MESSAGE:  0100

 
   

r'11"' :1‘?  /3 : .‘e— ‘r ...
31('- 5-11-
3:

Fnten

No. 
77

82
83
84 17
85

87 17.
17.
17.

88
89
98 17
91 17
92
93 17

94 17.

95 17

Tune
16.
78 16....
E *1  1-I211
Am descoperit aceasta vulnerabilitate in iunie 2010 dupa care am continuat
cu intelegerea ei.  Pe 26 august 2010 am raport...
LQVC. IILLLLC. U15]£; g1U. l_11/k; VC11d1I1C. L.L§

CVE-2010-3612 Learn more at National VL: lneraL‘»ility Database : 'i"i...
4388». ..

.  <: _:m§E: m=m~ u mama HESS um SE.  SEE Himmowzmn 2%» Nwwo. 
$5. 35. 23. muEm: :w. coo. Cw_mx. <w. Cm_Eo. m~1...
Testarea. ..

- Vulnerabilitatea a fost testata pe mai multe telefoane:  Nokia 2330,
3310, 6310, N97; Samsung 1900, Galaxy...
- Vulnerabilitatea a fost testata pe mai multe telefoanez Nokia 2330,
3310, 6310, N97 ;  Samsung i900, Galaxy S,  Galaxy S...
IMPACT

- Atacul functioneaza independent de telefon sau reteaua GSM

- La trimiterea mesajului intre retele diferite sau ...
- There are bulk SMS provider
identity of the sender —> thi

* Problema e ca nu toti transmit corect pachetele APDU
catre ...
4b“€‘-v‘

_. A l’
CallMed   l»

‘'‘l‘. ‘ 9 ' -ur

How do I use Calllliled 13637 What is Ce| lMed7

| :i'i: ie

_| _‘_ ,  “...
Cum ne proteiam de atac? 

()pcr. iliii‘ii iii‘ lL'lL'l>(lllL‘£ 'Dl| lL‘. l Iillrzi . lCL‘SlL‘ tipuri dc iin-<. iji_' . ~i...
Cum ne protejam de atac? 

- Operatorii de telefonie ar putea filtra aceste tipuri de mesaje si sale
permita doar pe cele t...
vEwE8E>> Ev _= ocmb ©EbmEE sum

08 E88200 Snow 5 MHUD «E0 Z Show Ev : £o_8 as Emofiom . 
E E02009 uumozmm BE:  Ba 5: 8.8 3:...
' . 
- i.  — . 
‘  'i, _  " 
,  _ .  -. 
 ;  * i.  ~ '‘T. -'. ;
3.’ E 
‘ V‘

‘ .  -1 ‘T ’_ ' . .

l K‘;  _. ‘_ J‘  . 

j ‘...
Atac asupra SIM Toolkit

Bogdan Alecu — http: [/www. m—sec. net

   

Push Sll/ I from back to detach.
Atac asupra Sim Toolkit
Atac asupra Sim Toolkit
Upcoming SlideShare
Loading in …5
×

Atac asupra Sim Toolkit

1,309 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Atac asupra Sim Toolkit

  1. 1. Atac asupra SIM Toolkit Bogdan Alecu — http: ([www. m—sec‘net r—— '-— 0 Mobile : J.2Jmp _/ Push Sum from ham tc detach: Get more security for your phone.
  2. 2. Atac asupra SIM Toolkit Bogdan Alecu — http: [/www. m—sec. net Push SIM from back to detach.
  3. 3. ft” " if A: »‘: a-C ai. :U, p ran L, l M l «:2 <3 l. l/M: A Bogdan Alecu — http: [[www. m- l’[. .,'l -3, - JI ' &‘. , A W D‘ Mobile
  4. 4. VA SMS — Short Message Service reprezinta un mod de “ comunicare prin mesaje text intre telefoanele mobile / fixe, utilizand un protocol standardizat. Este un mod de comunicare eficace; utilizatorul scrie un text, apasa SEND si mesajul e livrat aproape instant catre destinatar. - Folosit pentru mai multe scopuri: MMS — Multimedia Messaging Service, OTA — Over The Air — configurarea telefonului, notificari pentru mesageria vocala, email, fax, microplati — plata unor sume mici pentru diferite servicii = > SECURITATEI _ . 47: —rt, :,T. .
  5. 5. “Un dispozitiv mobil activ trebuie sa fie capabil de a primi un mesaj scurt de tipul TPDU — Transfer protocol data unit — (SMS-DELIVER) in orice moment, indiferent daca exista un apel sau trafic de date in derulare. Un raport va fi trimis intotdeauna catre SC (Serviciul de mesaje); confirmand fie ca tel a primit mesajul sau ca mesajul nu a fost livrat, incluzind si motivul refuzului. ” ETSI TS 100 901 V7.5.o (2001-I2), P38 13
  6. 6. omen) , Desuipfinn 00 Info Ibvul smsc — but me lrnglh u 0. which mum am the SMSC slated in the plume should be used rm. nan ofihe SM: -SUBMIT mnuge. It nuhcales um then 01 s no reply pith Usrr Du. Hudu: Sumu Kepotl R: qurSL vmauy Pmod. leper Duplxulrs nu: Inuugr lyp: I5 SMS— ‘UBMIT '00 rssage-Referaace ‘nu "on" value here lets an pliant set an message mfnenm number mm on Address-lxugdx Lcnglh of phone nmnba (1 1) T yp¢4: Adams Here I21: mkluuonal formal om: 91 hone number 4421436587179 7ThAphou: numbeimsemn ocre1s—-14113456789 on rn>.1>u)_ mm specified 00 TP—DCS. none spenficd B lTP—User-Dau—L: ngIh Length ofmessage =1mgm of sepltls = u lExn9BFD°6DDDF7n6I 9 E: .1:_. ,.n. .. “ts! mm Ieplesenl an mung: “hello l‘cIuua[r1i| |iLc mv: s.1jul fulusmd Luiimm . —'l' prin mudcm GSM. [rCl)IIlcSL‘ facuu unnatuni pasi: a) Satan: modem in mod PDL‘ T~C. l(? F=o b) "enfiLaxn dam xumlemul puale prmesa SMS: /T—CSMS: o L) Tvnmlcm mesajul: AT+CMG 000!oooEL)x442i4;fi§87F«)o(>o<mB l-‘.8;z<)l3FDo(DDl')F7z3(n) ; >
  7. 7. l Octet(s) I Description 0 0 about SMSC - here the length is 0, which means that the SMSC stored in the phone should be used. irst octet of the SMS-SUBMIT message. It indicates that there "s no reply path, User Data Header, Status Report Request, alidity Period, Reject Duplicates. The message type is SMS- SUBMIT. O -Message-Reference. The "00" value here lets the phone set e message reference number itself. l(_)B lxddress-Length Length of phone number (1 1) 1 ype-of—Address. Here it is the international format of the hone number. l4—t12l4365871-'9 phone number in semi octets - 44123456789 '50 lii-PID, none specified I00 ITP-DCS, none specified I08 [TP-User—Data-Length Length of message = length of septets = 1 1 E;329BFDo6DDDF723 619 These octets represent the message "hello |
  8. 8. Pentru a trimite mesajul folosind comenzi AT prin modem GSM, trebuiesc facuti urmatorii pasi: a) Setare modem in mod PDU : AT+CMGF= o b) Verificam daca modemul poate procesa SMS: AT +CSMS= o c) Trimitem mesajul: AT+CMGS=23 > oooIoooB9I442I436587F9oooooB E8329BFDo6DDDF7236I9
  9. 9. .<. a¢. -:; isis¢«Ir: u7(: ;s. r u-gains. -ecacgsa. -.g~u. u;_, cum: -,. ngsnurauq-t1.su. si-ieayyfie. (ao-usanzirg, u.’t: -was-. s.. .al > Frame 69: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) > Ethernet II. Src: 90:60:89_00:99:08 (66:88:08:98:98:90), Dst: 98:09:88_08:99:96 (86:89:B9:80:09:09) > Internet Protocol Version 4, Src: 127.9.9.1 (127.9.9.1), Dst: 127.9.9.1 (127.9.8.1) > User Datagram Protocol, Src Port: 58447 (58447), Dst Port: gsmtap (4729) I GSM TAP Header, ARFCN: 9 (Uplink). T5: 9, Channel: SDCCH (9) > Link Access Procedure, Channel Dm (LAPDm) > GSM A-I/ F DTAP - CP-DATA V GSH A-I/ F RP - RP-DATA (H to Network) Message Type RP-DATA (MS to Network) > RP»Message Reference > RP-origination Address P RP-Destination Address (467 ) > RP-User Data V GSM SMS TPDU (GSH 93.49) SM-SUBHIT D. .. . ... = TP-RP: TP Reply Path parameter is not set in this SMS SUBMIT/ DELIVER . e.. .. .. = TP-UDHI: The TP UD field contains only the short message . .9. . ... = TP-SRR: A status report is not requested . .1 e. .. = TP—vPF: TP~VP field present - relative format (2) .9.. = TP—RD: Instruct SC to accept duplicates . .., .. e1 = TP-MTI: SMS-SUBMIT (1) TP-HR: 1 > TP-Destination—Address - (G7 ) V TP-PID: 9 96.. .. .. : defines formatting for subsequent bits . .9. . ... : no telematic interworking, but SME—to—SME protocol . ..9 9009 : the SM-AL protocol being used between the SME and the MS (0) ' TP—D(S: 8 09.. .. .. = Coding Group Bits: General Data Coding indication (9) Special case, GSM 7 bit default alphabet TP—Validity-Period: 24 hours 9 minutes TP-User-Data-Length: (ll) depends on Data-Coding-Scheme V TP—User-Data eeie , oe a7 9b . ..pT. @. ooze '
  10. 10. User Data Header contine octeti ce sunt adaugati la inceputul componentei User Data. Prin UDH se pot crea servicii cu valoare adaugata. UD1-I poate fi folosit pentru: - Ringtone - WAP Push - Operator logo - VCARD - Mesaje concatenate - SIM Toolkit Security headers
  11. 11. I-1eader—ul SIM Toolkit Security Sunt 2 tipuri de comenzi de securitate: — Pachetul comanda — pachet trimis de catre expeditor, continand mesajul aplicatiei securizate — Pachetul raspuns — pachet trimis de catre destinatar, continand raspunsul securizat si eventual aplicatia de date
  12. 12. ll Ll lC DI IVI | uence Integrity counter imber of padding octets used for ciphering at t SMS_SUBMlT SMS_SUBM| T Mandato User Data Clgmtgand Secured User Data Header Fie ds Header Fields 93 9' Header Field Signalling f SIM Tookit Security
  13. 13. Command Packet N UDHL IEIa IEDLa CPL PCNTR RC/ CC/ DS Secure Data m/ : ngth (CPL) — shall indicate the number of octets from and including the Command the end of the Secured Data, including any padding octets required for ciphering. ength (CH L) — the number of octets from and including the SPI to the end of the CHL[TSPIWTKIc1K]D“TTAR‘CNT ndicator (SPI) — defines the security level applied to the input and output message innr II/ lr~ I/ nu: ant‘ '1': -frv-:1-l'| r-r1 't'tI1f: ‘:l'II' ‘-l'I" r~: rIr'| nv-: r1rf
  14. 14. Command Packet RC/ CC/ DS Secure Data Command Packet Length (CPL) - shall indicate the number of octets from and including the Command Header Identifier to the end of the Secured Data, including any padding octets required for ciphering. Command Header Length (CHL) — the number of octets from and including the SPI to the end of the RC/ CC/ DS Security Parameter Indicator (SPI) — defines the security level applied to the input and output message Ciphering Key Identifier (Klc) — Key and algorithm Identifier for ciphering Key Identifier (KID) - Key and algorithm Identifier for Redundancy Check (RC) I Cryptographic Checksum (CC) I Digital Signature (DS) Toolkit Application Reference (TAR) — is part of the 23.048 header that identifies and triggers the Over The Air (OTA) feature, which is an application on the SIM Counter (CNTR) — Replay detection and Sequence Integrity counter Padding counter (PCNTR) — indicates the number of padding octets used for ciphering at the end of the secured data SMS_SUEM| T SMS_SUEM| T Mandalor User Dala Cfimrgand Secured User Dala Header Fie ds Header Fields | I l K 73 9' Header Field Signalling f SIM Tookit Semnly
  15. 15. Gcnullo G<ml‘C 1vln mam pentru a men infurmatiile dz pt canela sm _ swrmro mm Pytfson pmIruc'nlIu"fisi: rdor' dz 4 ‘ ‘ P! SIM I. .. I‘ I %. _:‘. ._o. ..n_»-. ».. ... ..r. .:. ... ‘_‘ ». .-. ... ... ... ""'. ... .""'. ... “'—"‘. -“". ' "" ». .»amr. ..». .y. ... ..n. a.. .r. ... .k . ... a.. ... ~u: ... n~m». ... ... .mn. ... mm. .4. ms . -in sun , l
  16. 16. U l“ I l’Zl_TlE Fr} l_Ct3 lrlfli
  17. 17. PDUspy — pentru 0 mai buna intelegere a mesajelor primite si pentru a—rni construi propriul mesaj (disponibila la http: [/www. nobbi. com/ pdusQy. html) _l- _l’ :1 o: IPDU | Da: ndoI PDU wilnosl cradePDU] now] uou lI| MIKE mam) maualmmb 1 gem-fie we slea nave rlesprel PDU at PDLI umlaru 6‘ : nu1rmg[lrmlSE IoMS] : : ASMSEI-cad: law mas] F ougonglliomusooscl r‘ mSMSEheadeilGSMD34Dl alomdlcnnde pan weed sinner lcum v [ism v | SlM(SM| _vj tread Ttklqp, Eptllle Esme ' mu 4,“. new . /I| .I. I I. FOLOSITE
  18. 18. get PDU | Decode ] PDU settings] create PDU ] UDH I ] UDH ll ] Misc. options ] manual mode l glecodeI Dasle I glee! I saveI interpret PDU as. .. PDU contains. .. 6' incoming [from SC to MS] 5‘ a SMSC header [GSM 07.05] (" outgoing [from MS to SE] C no SMSC header [GSM 03.40] automatic mode port: speed: storage: ICUM1 'II19200 VI ISlM[SM] ‘I ":75 read I reply I txtfile I save I "9 send I Q} §raseI
  19. 19. Nokia 3310 cu cablu F-BUS USB — cumparat de pe E—Bay "1 I '~. - ~' , ..-$7; L. . “ ll . .7 )
  20. 20. ]. dct3tap utilitar in linie de comanda (Linux) pentru a I / is It captura traficul de pe interfata radio GSM si actiunile I‘-t facute de catre cartela SIM; traficul e redirectionat ‘ prin GSMTAP catre Wireshark. Creat de Duncan Salerno si poate fi descarcat de la adresa http: [/bb. osmocom. org/ trac/ wiki/ dct3—gsmtaQ
  21. 21. Wireshark versiunea I.6.0.rc2 compilat impreuna cu patch—ul GSMTAP si SIMCARD pentru a decoda traficul GSM si accesul Ia SIM. lnstructiuni despre cum se poate face asta gasiti la http: [lbb. osmocom. org/ traclwiki/ dct3-gsmtap NowSMS Gateway pentur un mod mai simplu de trimitere a mesajelor si pentru a ma conecta la un provider de SMS prin SMPP — http: [/www. nowsrr1s. com/ download-free—triaI :3.'iHt iiinuza-itl: Jtt ‘yr -1-» SMSC Connection Type ‘S’ GSM Phone or Modem (3 "X 7' HTTP over TCP/ IP UCP/ EMI ove1TCP/ IP
  22. 22. Gemalto GemPC Twin cititor pentru a accesa informatiile de pe cartela SIM SIMinfo script Python pentru citirea "fisierelor" de pe SIM https: [[gsm. tsaitgaistinfo/ doku. php? id= siminfo
  23. 23. Cum functioneaza? In prilmll rilnd ssts irlrportant Ctl SlM—tll sa itilm Um-mm not-mnme mt-uxrdml-min -I M , _ V _ , ,, Ttpulslrlxlcnq Irl . .s. is. ..i. esi dflcu t. .llel{‘I. M. in. ts. ..“ rt: -iitniinm lrmtdin . ... n.. .n. -.. n.. t.- Stu I‘. i. —t. —.i. i.li. .imi ISPI) WW“ "I dim‘ d"""“1“~“' "'3 5-M5 P""‘(’“"P‘""‘ cw, -F (t‘l| TEp| IIlAlFIl u<lM rm). l>nvtnln. nl . (y.1(| Ir1I’clH't‘| lt‘. I Tnlrvthla I>CS <i-rm i. .., .t, . . un. ..tW. ,r. ,m. .i. ._i, ; |ln(,1[ sf at-ut‘ Tomdam Pg 31M ti-abut: 5,1 exista 9 mt. ..» A F6 llll mm. .lt- up am 1 Confnrivl cw II I4 Int: :1‘ 5t ir)lllII| )l. mu apli AUG Toolkit penmi a tiinrriona. “““‘ ‘“""" ’““‘ "‘“'“ Dam «cnw I thin tluunluiltl ’I. I SMS F0ll'II'| D'pDIH| - r i‘| I|>Ei‘l( l Jun II label: dc are at pt-, .lllll'I€I lelrkilvtll i urnu pmmaiim lL' IrI.1r)as‘ 'Cil'hI V: pmrlrstc HIV rursay (ll iasntir axurul . ic pmltxol SIM rm tlomilaid. SI uc ' lass 1 niesaqt. iullicl lrlfiffllllli il V. | | ml7slr: l.l in mud tmnspmnt LIUC s‘ll raiasina Konlnlldd l>_'. ‘. ELQPL tS’l§~l’l’ l)U. ’lLO| JI Tclnlollul nu raatlsa lli(luii Il| t‘)]| sau alarm ulilixatorul ca CKISIZ ulr SMS -. .. . Cu aim tuvllllu KL'| L'l0l‘I| Il rm »‘.1 2il§. nllult SI unltzalmnl nu ta all (acne AEZILJL
  24. 24. In primul rand este important ca SIM—ul sa aiba serviciul “data download via SMS Point—to—Point" alocat si activ. Totodata pe SIM trebuie sa existe o aplicatie Toolkit pentru a functiona. card reader Gemplus GemPC Twin 00 no I 3B5F95B01FC38Cl31A073BE21 I
  25. 25. I speak IM Toolkit I wait tor your instructions SIM Application Toolkit asigura Servicii cu Valoare Adaugata (VAS) pentru operatori. In principiu reprezinta un set de comenzi scrise pe cartela SIM ce ajuta cartela sa comunice cu telefonul, facind posibila initierea comenzilor independent de tipul telefonului sau reteaua pe care se afla.
  26. 26. I speak SIM Toolkit wait for your instructions
  27. 27. SIM Application Toolkit asigura Servicii cu Valoare Adaugata (VAS) pentru operatori. In principiu reprezinta un set de comenzi scrise pe cartela SIM ce ajuta cartela sa comunice cu telefonul, facind posibila initierea comenzilor independent de tipul telefonului sau reteaua pe care se afla.
  28. 28. rile-leaded @ eempiuseemvc Twin oooo 38 9F 95 80 1F C3 80 31 A0 73 BE 21 card ATR _ — E — — — — — — -22201 — - 266 07 — - 25 Data download via SMS-CB not allocated, not activated - 26 Data download via SMS-PP allocated, activated
  29. 29. Frle Edit View Search Terminal Help t| 'Epl’t55Ub| .ll'| lUI‘$ cd simreaderr trepxiilubunturxlsimreaoers . /sl. rIrnfo. py D
  30. 30. ubll I l Jul lLLlUI lCClLCl. Tipul de mesaj trimis este adresat direct cartelei SIM, prin setarea PID la valoarea ox7F, ce corespunde la USIM Data Download, asa cum veti vedea. Totodata DCS trebuie sa fie un mesaj de tip class 2. Conform GSM 11.14 iata ce se intimpla cind aceste valori sunt setate: Daca serviciul "data download via SMS Point—to—point" e alocat si activ in tabela ‘ de servicii de pe, atunci telefonul va urma procedura de mai jos: — Cind se primeste un mesaj cu identificatorul de protocol = SIM data download, si DCS = class 2 message, atunci telefonul il va transfera in mod transparent catre SIM folosind comanda ENVELOPE (SMS—PP DOWNLOAD). — Telefonul nu va afisa niciun mesaj, sau alerta utilizatorul ca exista un SMS. Cu alte cuvinte telefonul nu va afisa nimic si utilizatorul nu va sti ca este atacat.
  31. 31. Daca ne uitam la comanda de securitate dinheader-ul SMS, una din componente este Security Parameter Indicator (SPI). SPI are 2 octeti cu urmatoarea structura:
  32. 32. 2 octeti cu urmatoarea structura: St-culltl B) to:
  33. 33. *5 ~. ' *: a‘: ,y" *": :-‘iv
  34. 34. Vulnerabilitatea exista datorita celui de-al 2lea byte: aici se poate seta modul in care este transmisa dovada receptionarii mesajului (POR) — Via SMS-DELIVER-REPORT sau SMS-SUBMIT. Cand e setata prin SMS—SUBMIT, telefonul va incerca sa raspunda printr-un SMS normal catre numarul de la care a primit comanda. Daca e setata sa confirme primirea prin DELIVER REPORT, telefonul va raporta retelei statusul mesajului. Intrucat nu avem valori corecte pentru Klc, KID, TAR, rezultatul comenzii STK va fi o eroare, deci si raportul va contine o eroare. SMSC-ul va crede ca telefonul nu a primit mesajul si va incerca din nou sa trimita mesajul, punind in asteptare orice alt urmator mesaj, pina cind mesajul initial va expira. .
  35. 35. 1 u — - vs -’i_. u:-mai! -"-’t"r'_'-A‘ r}iA-Aim yjauniu v- g1g1m. _1'. '.| ;« :51 , .. . ‘l(: ’)r= «-1 , . clejbrgoi "I31-J - 61.5)») I 91:4-1:17: -1349-ilmj-I517: . (.'I: ~M-. -4-ni: - '4-1- -‘A > User Datagram Protocol, Src Port: 55844 (55844), Dst Port: gsmtap (4729) > GSM TAP Header, ARFCN: 99 (Downlink), T5: 0, Channel: SDCCH (8) > Link Access Procedure, channel Dm (LAPDm) > GSM A-I/ F DTAP - CP-DATA V GSM A-I/ F RP - RP-DATA (Network to MS) Message Type RP-DATA (Network to MS) > RP-Message Reference > RP-Origination Address - (407 ) > RP—Destination Address > RP-User Data V GSM SMS TPDU (GSM 03.40) SH-DELIVER 6.. . . ... = TP-RP: TP Reply Path parameter is not set in this SMS SUBMIT/ DELIVER .1.. .. .. = TP-UDHI: The beginning of the TP UD field contains a Header in addition to the short nessage . .e. .. .. = TP-SRI: A status report shall not be returned to the SME .1.. = TP~MHS: No more messages are waiting for the MS in this SC . ,.. .. B9 = TP-HTI: SMS-DELIVER (9) > TP-Originating-Address — (467 ) V 01.. .. .. : defines formatting for subsequent bits . .11 1111 : (63) (U)SIH Data download v ‘rp-ocs; 246 1111 . ... = Coding Group Bits: Data coding/ message class (15) 1111 . ... 2 Data coding/ message class . 6.. . : Reserved .1.. : Message coding: 8 bit data . ... ..1e : Message Class: Class 2 (U)SIM specific message > TP-Service-Centre~Tire-Stanp TP-User-Data-Length: (19) depends on Data-Coding-Schere V TP-User-Data V User-Data Header User Data Header Length (2) V IE: (U)SIM Toolkit Security Headers (SMS Control)
  36. 36. 72 5.236172 73 5.252207 74 5.273137 75 5.385258 76 5.425265 127.9.9.]127.6.8.1 127.0.0.]127.0.9.1 127.9.9.]127.0.8.1 127.6.8.]127.6.8.1 127.9.G. ]127.0.9.1 Instruction: ENVELOPE (0xc2) Parameter 1: 0x00 Parameter 2: 0x00 Length (Parameter 3): 0x37 GSM SMS 81 I, N(R)=9, N(S)=2(DTAP) GSMTAP 118 GSM ENVELOPE : ee00 LAPDm 84 S, func= RR, N(R)=3 LAPDm 81 U, func= UI(DTAP) (RR) 5 LAPDm 84 U, func= UI(DTAP) (RR) M r Frame 73: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) » Ethernet II, Src: 60:96 ee_ea 86:66 (as 9e:69:90:90:96), Dst: ea ea ee_ee: > Internet Protocol Version 4, Src: 127.e. e.1 (127.e. e.1), Dst: 127 e. e.1 (1 r User Datagram Protocol, Src Port: 55844 (55844), Dst Port: gsmtap (4729) v GSM TAP Header, ARFCN: 0 (Downlink), T5: 6, Channel: UNKNOWN (e) *'GSM SIM 11.11 APDU Payload: d1358202838106079l0447946400f08b26440b9104570838.. .
  37. 37. - Iv--1: :4)»--~ In-rA= L:r_4s~ VLM-A-m 'V_¥A| Il'h'7'! $f1': Is11')1#-:0!) _ . ‘l(: )‘n= -,, .-«ea-= r.4(-rm-J -L1.'. g~)r-sum. -r: 'v’: .. (;I: «)-: o:r= ,-mi: .(. '.I-, --— 1--. ‘H‘v. ~:-uni > Frame 239: 84 bytes on wire (672 bits), 84 bytes captured (672 bits) > Ethernet II, Src: 88:88:88_88:88:88 (08:98:88:98:80:88), Dst: 88:08:88_98:98:88 (B8:88:88:B8:88:98) > Internet Protocol Version 4, Src: 127.e. e.1 (127.e. e.1), Dst: 127.e. e.1 (127.e. e.1) > User Datagram Protocol, Src Port: 55844 (55844), Dst Port: gsmtap (4729) > GSM TAP Header, ARFCN: 0 (Uplink), TS: 9, channel: SDCCH (9) > Link Access Procedure, Channel Dm (LAPDm) > GSM A-I/ F DTAP - CP-DATA > GSM A-I/ F RP - RP-DATA V GSM SM TPDU (GSM 03.48) “““““ "’ 9.. . . ... = TP-RP: TP Reply Path parameter is not set in this SMS SUBMIT/ DELIVER .1.. .. .. = TP-UDHI: The beginning of the TP UD field contains a Header in addition to the short message . .e. .. .. = TP-SRR: A status report is not requested . .e 0.. . = TP-VPF: TP-VP field not present (9) . e.. = TP«RD: Instruct SC to accept duplicates . .61 = TP-MTI: SMS-SUBMIT (1) TP-NR: 6 D TP-Destination-Address ~ (4e“"””J V 09.. .. .. : defines formatting for subsequent bits . .0. . ... 2 no telematic interworking, but SME-to-SME protocol . ..e 0069 : the SM-AL protocol being used between the SME and the MS (6) V TP-DCS: 246 1111 . ... : Coding Group Bits: Data coding/ message class (15) 1111 . ... : Data coding/ message class . 0.. . : Reserved .1.. : Message coding: 8 bit data . ... ..1e : Message Class: Class 2 (U)SIH specific *essage TP-User-Data-Length: (16) depends on Data-Coding-Schere V TP-User-Data V User-Data Hea r User Data Header Length (2) V IE: (U)SIM Toolkit Security Headers (SMS Control)
  38. 38. Qt: l. ’.5': -305!) l. ".L (7.. ‘l£7.L. Lul uS"1TA)’ 75- 33"‘ VEPMINLL 7~‘. f'_. ."ONEE SEHLI SHOP. ) ’-1E'. »f: »‘-. LzE 0100 > User Datagran Protocol, Src Port: 55844 (55844), Dst Port: gsmtap (4729) > GSM TAP Header, ARFCN: 6 (Downlink), T5: 9, Channel: UMCNOIM (9) V GSM 51)! 11.11 Capturing from lo (port 4729) [wlrc-shark1.6.0rc2 (SVN Rev Unknown from unknowr. )]
  39. 39. 26312.S53036127.0.0.1127.0.0.1GSMTAP 7S GSM TERMINAL RESPONSE SEND SHORT MESSAGE: 0100 r'11"' :1‘? /3 : .‘e— ‘r (-. _’r1)'VlV'17,l_1‘- T“ i, :‘. »~ . <.. ' ‘H? 1"| Wl1'~ > Ethernet II, Src: 80:O9:89_68:89:98 (89:99:09:99:88:89), Dst: 89:00:88_08:99:89 (99:89:99:89:89:99) > Internet Protocol version 4, Src: 127.o. e.1 (127.9.9.1), Dst: 127.e.9.1 (127.9.9.1) > user Datagram Protocol, Src Port: 55844 (55844), Dst Port: gsmtap (4729) > GSM TAP Header, ARFCN: 9 (Downlink), T5: 9, Channel: UIKNONN (9) V GSM SIM 11.11 Class: GSM (exae) Instruction: TERMINAL RESPONSE (9x14) V Card Application Tookit ETSI TS 192.223 V Command details: 911399 Command Number: 9x91 Command Type: SEND SHORT MESSAGE (9x13) Command oualifierz 9x99 V Device identity: 8281 Source Device ID: Terminal (Card Reader) (9x82) Destination Device ID: SIM / USIM / UICC (9x81) V Result: 99 Result: Command performed successfully (exee) Status word: 9199
  40. 40. 31('- 5-11- 3: Fnten No. 77 82 83 84 17 85 87 17. 17. 17. 88 89 98 17 91 17 92 93 17 94 17. 95 17 Tune 16. 78 16. 79 16. 89 16. 81 16. 16. 16. 17. 17. .118 1111 : "I4? 5, 9:’ (9! 352471127. . 384443127. 437438127. . .472494127. .672454127. . 785438127. .828538127. . 861462127. .8. CBUSE 989449127 V RP-User Data Ele ent ID: 65 Length: 2 TPDU (not displayed) R-£101! '. Source 729453127. 748432127. . 768418127. . 829419127. . 875734127. . 913399127. . 965438127. . .881483127. . 281444 127. . 000000000 00000000 000000000 000000000 :11?-lglh 5 jfldflv ra11r: ii': — R-'1 -‘iii 3'1". n': u:-lina1:ar-. ~Ii-fi= in--iifiiiin-. -HBT r: lt= L-Ii: -in: I-I-Hr Iu1-(aIu. "-, lL- :14)‘, - QIE @e® @§E)". i v Expresflonn. Desnnanon Protocol Length Info (111) .1127. . . .1127. . . .1127. . . .1127. . . .1127. .1127. . . .1127. . . .1127. . . .1127. . . 000000000 0 .1127. . . .1127. .1127. . . .1127. . . .1127. . . .1127. . .1127. . . .1127. .1127 000000000 8 00000000 00000000 I-In-It-H)-It-Ildl-I 9-It-It-4|-It-In-v-D-I H 1 GSM SMS GSMTAP LAPDm GSMTAP LAPDm LAPDm LAPDm LAPDm Protocol error, V GSM SH TPDU (GSM 83.48) SMS-DELIVER REPORT .8.. . .08 I 81 I, N(R)=8, N(S)=2(DTAP) (SMS) (P-DATA (RP) RP-DATA (Network to MS) 118 GSM ENVELOPE : ee99 94 S, func= RR, N(R)=3 58 [Malformed Packet] 81 U, func= UI(DTAP) (RR) System Information Type 5 84 U, func= UI(DTAP) (RR) Measurement Report 81 U, func= UI 84 I, N(R)=3, N(S)=9lDTAP) (SMS) CP-ACK 81 S, func= RR, N(R)=1 81 U, 84 U, 81 1, func= UI(DTAP) (RR) System Information Type 5 func= UI(DTAP) (RR) Measurement Report N(R)=4. N(S)=3(DTAP) (RR) Channel Release 84 S, func= RR, N(R)=4 91 I, N(R)=2, N(S)=3(DTAP) (SMS) (P-ACK 84 U P, func= DISC 81 I, N(R)=2, N(S)=1 (Fragment) 94 U, func= UI(DTAP) (RR) Measurement fiport 81 U F, func= UA unspecified . = TP-UDHI: The TP UD field contains only the short message . = TP—MMS: More messages are waiting for the MS in this SC TP-MTI: SMS-DELIVER REPORT (0)
  41. 41. E *1 1-I211
  42. 42. Am descoperit aceasta vulnerabilitate in iunie 2010 dupa care am continuat cu intelegerea ei. Pe 26 august 2010 am raportat Vulnerabilitatea la CERT (Computer Emergency Response Team), au atribuit un identificator CVE (Common Vulnerabilities and Exposures) dar nu a fost publicata inca. Detalii la httgj/ www. cve. mitre. org[cgbin/ cvename. cgi? name=2o103612. wt in CVE-1010-3611 (wide: mew) Bescrlnllun -- nssznven -- YR: emanate has been reserved av an ofljlmzanon or mavmai wl use II when zmomc a new um-xv mai-m. Whtn the cixfidato rm hem when-zed. me (3! : rm ms camaaxe vul be run Ill-V uuuuuu -4 e . u-Ixaummua-muaniunnmm-—: .oiu. m¢-nun-ban-uni»: -m-nauaannsmumn nouunaaamben-viva. . su-aym. .g. vumumaum. v.au= uusamu. v.ua. .sc»nauamv- In rvucv: iauionunao'cm¢-oauuunumamumvumwoaauacououdvvoa mean-uuin. ..us. vm. :c. .s. ahdmnflzflfiiufshhnmnunfihhlt Imybennfifiednruenrepcledn mm. :. Ilurns c: ndiI: lnuoMdon2oIoo9z7a-Iuvvooaledovm/ A
  43. 43. LQVC. IILLLLC. U15]£; g1U. l_11/k; VC11d1I1C. L.L§ CVE-2010-3612 Learn more at National VL: lneraL‘»ility Database : 'i"ii/ D; (under review) - Severity Rating - Fix Information - Vulnerable Software Versions - SCAP Mappings ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. when the candidate has been publicized, the details for this candidate will be provided. Note: Fiekrer : ~:_; . are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete. Candidate This CVE Identifier has "Candidate" status and must be reviewed and accepted by the CVE Editorial Board before it can be updated to official "Entry" status on the CVE List. It may be modified or even rejected in the future. Assigned (20100927) Candidate assigned on 20100927 and proposed on N/ A
  44. 44. 4388». .. . <: _:m§E: m=m~ u mama HESS um SE. SEE Himmowzmn 2%» Nwwo. $5. 35. 23. muEm: :w. coo. Cw_mx. <w. Cm_Eo. m~1_. :c: fl I. _.O a: $ 39: §o_o: m mm. m: >: m~oE“ m_mnE. n~Q . C= n_n nlmmcmzm man? 95:. mm : : _: mmm_ n 5 . ..: _.m an : ._, ::nm~m. _. : 1.3. mm m_: w_m : : Fr. won: _E. .E . Czmoz m: <_. :_ __. nmw: .,u : ._= ._: m:wu w W was A Bmmfia
  45. 45. Testarea. .. - Vulnerabilitatea a fost testata pe mai multe telefoane: Nokia 2330, 3310, 6310, N97; Samsung 1900, Galaxy S, Galaxy S2; iPhone; HTC cu Windows Mobile 6.5, cu Android; Blackberry - Unele telefoane arata faptul ca un mesaj e in curs de trimitere, in
  46. 46. - Vulnerabilitatea a fost testata pe mai multe telefoanez Nokia 2330, 3310, 6310, N97 ; Samsung i900, Galaxy S, Galaxy S2; iPhone; HTC cu Windows Mobile 6.5, cu Android; Blackberry - Unele telefoane arata faptul ca un mesaj e in curs de trimitere, in timp Ce altele nu fac acest lucru - Uneori SIM-ul incearca trimiterea a 3 sau 4 mesaje
  47. 47. IMPACT - Atacul functioneaza independent de telefon sau reteaua GSM - La trimiterea mesajului intre retele diferite sau in cadrul aceleiasi retele, impactul financiar nu este mare - There are bulk SMS providers that allow you to change the identity of the sender —> think about premium rate numbers lll’Ol1lCllirl c ca [Ill 1011 tirinsmii L(}lL’Ll | 'lrlLllL‘lElL' . —| ‘l)l' Liilrcliilixaii 1iiiiiiipci'2iUii'I | )in cc am lcxizil, Lllll ;1pm Iiipimiilcii1lilLii1i. iiiig. ixii1 L1llL’ iiiiiiii (>lL‘Ll iii i| oii. i rctislc.
  48. 48. - There are bulk SMS provider identity of the sender —> thi * Problema e ca nu toti transmit corect pachetele APDU catre toti sau unii operatori. Din ce am testat, din aprox 10 provideri diferiti am gasit 2 care trimit corect in doua retele.
  49. 49. 4b“€‘-v‘ _. A l’ CallMed l» ‘'‘l‘. ‘ 9 ' -ur How do I use Calllliled 13637 What is Ce| lMed7 | :i'i: ie _| _‘_ , “W Cail Afterlhe voice CI| |Med telephone counseling ‘ message unique identifier type service is designed to facilitate '<vi. v:ol ii: Ji. : i= ..u of doctor and the call is directed communication between w . ~=r l', 'V]l . .m; , to it physicians and their patients ’-: :r. :a v. , _-i. =_: The price is 0 95 euro: min « For any health problem patients VAT (1 ‘la euro -‘ min VAT can seek medical advice before inc ludedi the first minute is programming even for e
  50. 50. Cum ne proteiam de atac? ()pcr. iliii‘ii iii‘ lL'lL'l>(lllL‘£ 'Dl| lL‘. l Iillrzi . lCL‘SlL‘ tipuri dc iin-<. iji_' . ~i Ml lc pcrmitri dour PC cclc [l'll11lSL‘ do ci. Cl1i; ii': itlL; iciiprotcctiiz | .1n1'clu| rciclci, LlllllI. lIOI‘lI iiii '(l' li protciari iii tomlitaic (l. ’lC. ’1 IlL| ioii iipcr;1irii'ii l| ‘l)]7lt. ‘l1lL’l1lC’/ ..l . i1'i: lc;1s‘i miisiiri cle : ~ccLii‘ii;1l‘c - Uncle tclcfnriiic Illl opriiinczi do .1 llltl‘t‘l’1 iitili7.1t0rii| clzica pcrniitc etccti1;i1'c_1iiiiei rinumitc actiuni din | M1l'[t‘Zl SIM-uliii Fiilrisiii iin SIM k'. ll‘'1ll'L‘ . ~'ui' lL'llll "i. l;il. i do'nlo. i<l via SMS l‘iiiiii—iii— point" tlCIliL[l'(ll sziii unul (: ii1‘ nu Ll| 'C l‘ll(ll7 . 'l[1l1C. 'l[lL“ll(l0ll(ll ll1S[Lllfl[£l Folosili Llll 1c| cl'0ndiiisei'in N()l(l.1 l'JCT; sisia1ic0iicct. iii iiicicii lfll 1’C. iirm. iiinr. l lflllltlll din / ircsltgiilx‘ pug uI. II}lm] rain: any/ was BGQSSBUH l‘ I or Mr HIS oi
  51. 51. Cum ne protejam de atac? - Operatorii de telefonie ar putea filtra aceste tipuri de mesaje si sale permita doar pe cele trimise de ei. Chiar adca e o protectie la nivelul retelei, utilizatorii nu vor fi protejati in totalitate daca nu toti operatorii implementeza aceleasi masuri de securitate - Unele telefoane au optiunea de a intreba utilizatorul daca permite efectuarea unei anumite actiuni din partea SIM-ului - Folositi un SIM care are sen/ iciul "data download via SMS Point-to- point” deactivat sau unul care nu are nicio aplicatie Toolkit instalata - Folositi un telefon din seria Nokia DCT3 si stati conectati mereu la PC, urmarind traficul din Wireshark
  52. 52. vEwE8E>> Ev _= ocmb ©EbmEE sum 08 E88200 Snow 5 MHUD «E0 Z Show Ev : £o_8 as Emofiom . E E02009 uumozmm BE: Ba 5: 8.8 3:: =3 o. m>Eom2o __uEom Eon m2m m_> _owoE>>o_o Sm? _E0_>.8m 98 0.80 25 :5 Emflom . _E: -_>: m motmm Em. Eaton QHFSSSM 6:: mupmsooomo pom some _§8m~: U: _3obE m ow NMCSEQO sm ozmomfloa £023 . 333.jpg us :3£. .E Bmoflum m~B: oEoEE_ Eoumuomo
  53. 53. ' . - i. — . ‘ 'i, _ " , _ . -. ; * i. ~ '‘T. -'. ; 3.’ E ‘ V‘ ‘ . -1 ‘T ’_ ' . . l K‘; _. ‘_ J‘ . j ‘g9 . 3 . ; . ’, . « > ' - H i f 3‘ , —.a. —.». a-4 1‘ «. ,_, ,_, (_r 5,“ H. 3-. _ 1., ‘ 1 ' ' ».1.——4. » . ' 1-’; _ , y , . 3 _ . . - , ,./ ,~- I, g . . 4-‘t‘_-C. ... '- . ._ '1 M . £—‘«i': i§I~}$x -~, _xf. ~-. .- . ._ Lil - Tobias Engel - Celor care au dezvoltat Osmocom - Celor care m-au lasat sa ma joc cu telefoanele lor : )
  54. 54. Atac asupra SIM Toolkit Bogdan Alecu — http: [/www. m—sec. net Push Sll/ I from back to detach.

×