Professional Documents
Culture Documents
SIM cards
2
SIM
security
involves
many
layers
from
smartcards
to
cryptography
and
Java
process
separa2on
SIM
card
includes
various
protec'on
mechanisms
3
Agenda
4
OTA
security
level
is
chosen
by
server
while
SIM
ILLUSTRATIVE
OTA
server
Target
app
/
key
set
#
SIM
card
stores
mul2ple
ini2ates
key
sets,
possibly
with
remote
Command
Used
Reque- dierent
protec2on
levels
transac2on
possibly
security
sted
encrypted
level
security
Key
set
3
and/or
level
Key
set
2
signed
Key
set
1
Man-
DES
3DES
AES
datory
Response
protected
Encry-
according
to
request,
p2on
but
not
below
minimum
level
stored
on
card
Signa-
ture
5
OTA
error
handling
is
underspecied,
possibly
opening
acack
surface
Some2mes
b.(50%*)
Error
message
with
all-zeros
signatures
c.(25%*)
DES
Error
message
signature
6
*
Es2mated
from
rela2vely
small
and
geographically
skewed
measurement
set
OTA
DES
do
not
withstand
key
cracking
7
Acacker
SMS
asks
for
DES-signed
SMS
response
with
fully
predictable
content
Acack-specic
features
Command
packet
is
sent
by
the
acacker
to
provoke
response
UDHI
PID
DCS
UDH
CPL
CHL
SPI
KIc
KID
TAR
CNTR
PCNTR
CC
Data
1
127
246
027000
Packet
Header
No
ciphering
No
DES
App
01
Padding
Rand.
Generic
length
length
Sign
cipher
signature
counter
invalid
command
PoR
request
Packet details: 0 0 0 1 0 0 1 0 0 0 1 0 1 0 0 1
Response
packet
No
may
oer
acack
surface
response
UDH
RPL
RHL
TAR
CNTR
PCNTR
Status
Code
CC
Data
or
027100
Packet
Header
App
01
Padding
Status
Code
Crypto- Response
length
length
counter
Checksum
8
Pre-computa2on
tables
store
DES
code
book
in
condensed
form
K
K
K
E233
2F06
503A
OCFE
K
K
K
DB18
B951
CAF3
77CF
K
K
K
Collision
22CB
A8F3
CAF3
77CF
K
K
K
87A4
49A6
118F
B33F
9
Table
op2miza2on:
Rainbow
tables
mi2gate
the
eect
of
collisions
K1
K2
K3
E233
44B2
BBA8
1B22
Collision
K1
K2
K3
DB18
ODE3
44B2
5DE2
K1
K2
K3
22CB
6C7A
55D2
922A
K1
K2
K3
87A4
11F6
362E
C7D5
10
Source:ct
Video
and
live
demo:
Remotely
cracking
OTA
key
11
Video
source:
hcp://www.heise.de/security/ar2kel/DES-Hack-exponiert-Millionen-SIM-Karten-1920898.html
OTA
acacks
extend
beyond
DES
signatures
Many
mobile
operators
responded
to
the
looming
SIM
hacking
risk
considerate
and
faster
than
we
could
have
wished
for
others
(too?)
quickly
concluded
they
were
not
aected
12
For
some
cards,
even
3DES
keys
are
crackable
Downgrade
aOack
ow
AOacker
Request
DES-signed
Some
SIM
Command
response
(KID
=
1)
cards
with
3DES
key
Crack
rst
Error
DES-signed
use
lower
signature
third
of
key
schemes
when
requested
(in
viola2on
Request
2-key
3DES
Command
of
the
standard)
response
(KID
=
5)
Crack
second
Error
2-key
3DES-signed
3-key
3DES
third*
2-key
3DES
Request
3-key
3DES
DES
Command
response
(KID
=
9)
56
56
56
Crack
bit
bit
bit
nal
Error
3-key
3DES-signed
third*
13
*
Must
be
brute-forced;
Rainbow
table
acack
no
longer
possible
Only
some
cards
provide
crackable
plaintext-signature
pairs
Acacker sends OTA command with wrong DES signature reques2ng DES-signed response
DES
crack
No
Yes
DES
downgrade
No
Yes
Vulnerable
No
Not
to
this
acack
No
No
No
Yes
Yes
14
Agenda
15
Java
virus
does
not
automa2cally
have
access
to
all
SIM
assets
Java
sand
box
should
protect
cri'cal
data
on
OTA-deployed
SIM
virus
can
access
SIM
Toolkit
API
SIM
Data
access
on
SIM
would
enable
further
abuse
16
Java
VM
on
many
SIMs
fails
to
conne
malicious
applets
Java
VM
needs
to
Java
virus
may
try
to
intrude
on
enforce
Other
Java
programs
and
na've
other
parts
of
SIM
sandbox
SIM
func'ons
store
value
secrets
boundaries
of
each
app
Data
in
SIM
Abuse
scenario
Ki
SIM
cloning:
SMS/call
Banking
Simplis2c
memory
boundary
Java
VM
enforces
fraud,
applets
viola2on
acempt:
X
=
small_array[1000000]
X
array
boundaries
and
stops
request
Iden2ca-
Steal
balance
2on
applets
Impersonate
17
Putng
it
all
together
Remote
SIM
cloning
18
Wide-scale
SIM
hacking
risk
must
be
mi2gated
on
several
layers
Low
High
Mi'ga'on
layer
for
OTA
hacking
risk
Eec'veness
Cost
Prevents
probing
in
home
Func2onality
Filter
OTA
messages
Network
operators
network;
leaves
SIMs
exposed
readily
from
unapproved
short-term
when
roaming,
to
fake
base
available
in
sources
mi2ga2on
op2on
sta2ons,
and
to
phone
malware
most
SMSCs
19
Industry
response
was
encouraging
for
responsibly
disclosing
hacking
research
The
responsible
disclosure
went
surprisingly
well
and
is
worth
Take
aways
from
a
number
of
responsible
disclosure
that
all
men2oning
went
well
(except
for
one)
We
disclosed
several
months
ahead
Find
construc've
partners
in
the
industry;
ask
other
of
the
release
to
trusted
contracts
hackers
for
their
recommenda2ons
made
around
previous
releases
Disclose
early
and
dont
be
surprised
if
even
the
most
Experts
from
a
few
large
companies
mo2vated
disclosure
partner
takes
months
to
distribute
veried
the
results
and
created
best
the
informa2on
conden2ally
in
their
industry
prac2ce
responses
Bring
someone
with
disclosure
experience
to
mee2ngs
Industry
associa2ons
disseminated
guidelines
to
all
other
operators
Expect
friendliness
and
remind
your
partner
of
the
required
e2quece
should
they
ever
act
rude
or
arrogant
Many
networks
are
now
well
underway
implemen2ng
ltering
Help
your
technical
contacts
win
the
internal
bacles:
and
reconguring
cards
Refuse
to
speak
to
their
lawyers;
never
sign
an
NDA
prior
to
your
disclosure
Only
a
single
lawyer
stumbled
into
the
interac2on,
but
quickly
leL
Be
extremely
careful
accep2ng
money;
and
only
ever
to
help
with
mi2ga2on
20
Take
aways
Ques2ons?
21