osmocom simtrace
play

Osmocom SIMtrace SIM card protocol tracing - why and how Harald - PowerPoint PPT Presentation

Jan 16, 2023 •362 likes •682 views

Osmocom SIMtrace SIM card protocol tracing - why and how Harald Welte Harald Welte Osmocom SIMtrace November 2014 1 / 30 SIM Cards Smart Card Basics Terminology SIM Subscriber Identity Module USIM Universal Subscriber Identity Mdoule

  1. Osmocom SIMtrace SIM card protocol tracing - why and how Harald Welte Harald Welte Osmocom SIMtrace November 2014 1 / 30

  2. SIM Cards Smart Card Basics Terminology SIM Subscriber Identity Module USIM Universal Subscriber Identity Mdoule UICC Universal Integrated Chip Card MS GSM Mobile Station (phone, modem) UE UMTS User Equipment ME GSM Mobile Equipment (MS + SIM) OTA Over The Air SAT SIM Application Toolkit CAT Card (UICC) Application Toolkit USAT USIM Application Toolkit TAR Toolkit Application Reference Harald Welte Osmocom SIMtrace November 2014 2 / 30

  3. SIM Cards Smart Card Basics Relevant Specification Bodies ISO (ISO 7816) smart cards ETSI (Eurpoean Telecomms Standardisation Institute) Classic GSM SIM UICC card as basis for various telecom ID purposes Card Application Toolkit (CAT) 3GPP (3rd Generation Partnership Project) USIM Application USIM Application Toolkit (USAT) API based applet interworking Global Platform Overall spec for SIM/USIM with Java Sun Microsystems (now Oracle) Java Card Virtual Machine Java Card Runtime Environment Harald Welte Osmocom SIMtrace November 2014 3 / 30

  4. SIM Cards Smart Card Basics The Subscriber Identity Module (SIM) Basic idea was to store cryptographic identity of subscriber inside smart card User can thus migrate identity from one device to another User can furthermore use different SIM in same device (e.g. local prepaid SIM while travelling) Original SIM card design mostly ISO 7816-4 filesystem and single command to execute A3/A8 algorithm inside card This could even be done in logic, no processor required Harald Welte Osmocom SIMtrace November 2014 4 / 30

  5. SIM Cards Smart Card Basics The modern SIM The modern SIM is an entirely different beast Cryptographic processor smart card Symmetric cryptography such as DES, 3DES, AES Public key cryptography such as RSA, ECC Java Card including a small Java VM and Java RE Multiple application support Ability to download applications (Applets) into card Harald Welte Osmocom SIMtrace November 2014 5 / 30

  6. SIM Cards Smart Card Basics Smart Card Basics microprocessor with RAM, Flash and Operating System Interface: Electrical + Logical Protocol (ISO7816-3, ISO7816-4) File System based representation of information Protocol describes remote operations on the file system Few non-filesystem related commands for e.g. authentication Harald Welte Osmocom SIMtrace November 2014 6 / 30

  7. SIM Cards Smart Card Basics Smart Card Filesystem Hierarchical file system like on PC MF (master file): root directory DF (dedicated file): subdirectory EF (entry file): actual file transparent or record oriented record linear fixed/variable or record cyclic File names don’t exist on card. 16bit FID (File ID) or 8bit SFID used instead Harald Welte Osmocom SIMtrace November 2014 7 / 30

  8. SIM Cards Smart Card Basics Smart Card Filesystem Hierarchy Harald Welte Osmocom SIMtrace November 2014 8 / 30

  9. SIM Cards Smart Card Basics SIM Card APDU Commands Classic SIM card commands include the following SELECT (change directory / open file) READ BINARY, UPDATE BINARY (read/write transparent EF) READ RECORD, UPDATE RECORD (read/write record EF) ENABLE CHV, DISABLE CHV, CHANGE CHV (enable, disable or change PIN) VERIFY CHV, UNBLOCK CHV (verify or unblock PIN) RUN GSM ALGORITHM (A3/A8 authentication) Harald Welte Osmocom SIMtrace November 2014 9 / 30

  10. SIM Cards Smart Card Basics Smart Card Filesystem Typical operations of the phone include navigating inside filesystem by SELECT on DF/EF authenticating the user PIN reading/updating files reading IMSI old-school SMS and contact storage storing session keys (Kc/KcGPRS, ...) storing last cell on power-off Harald Welte Osmocom SIMtrace November 2014 10 / 30

  11. SIM Cards Smart Card Basics Smart Card PINs The level of access to the filesystem and other card features is determined by authentication using a shared secret, called ’PIN’. Regular PIN for normal use of the card by the end user PUK for resetting the pin after too many retries ADM1..n PIN for access by the operator only Harald Welte Osmocom SIMtrace November 2014 11 / 30

  12. SIM Cards SIM Application Toolkit (SAT) SIM Application Toolkit (SAT) Ability for card to run applications that have UI on the phone Display menu items on-screen Get user input from keypad/touch-screen Original Version Described in TS 11.14 and 11.11 Harald Welte Osmocom SIMtrace November 2014 12 / 30

  13. SIM Cards SIM Application Toolkit (SAT) SAT – Proactive SIM The Proactive SIM features Sending a short message Setting up a voice call Playback of a tone in earpiece Providing location information from ME to SIM Have ME execute timers on behalf of SIM Sending DTMF to network Running an AT command received from SIM, sending result back to SIM Ask ME to launch browser to SIM-provided URL Harald Welte Osmocom SIMtrace November 2014 13 / 30

  14. SIM Cards SIM Application Toolkit (SAT) SAT – Call and SMS Control ME passes MO call setup attempts to SIM for approval SIM can then approve or decline the MO call modify the call details such as phone number replace the call with USSD message ME passes USSD requests similar to Call Control Similar mechanism exists for all MO SMS Harald Welte Osmocom SIMtrace November 2014 14 / 30

  15. SIM Cards SIM Application Toolkit (SAT) SAT – Provide local information The SIM can inquire the ME about MCC / MNC / LAC / Cell ID IMEI of ME Network Measurement Results BCCH channel list Date, Time, Timezone ME language setting Timing Advance Harald Welte Osmocom SIMtrace November 2014 15 / 30

  16. SIM Cards SIM Application Toolkit (SAT) SAT – Event download The SIM is notified by ME about certain events such as Call Connected / Disconnected Location Status (Location Area change) User activity (keyboard input) Idle screen available Browser termination Harald Welte Osmocom SIMtrace November 2014 16 / 30

  17. SIM Cards SIM Application Toolkit (SAT) SAT - Data download Enables Operator to exchange arbitrary data with the SIM Could be RFM (Remote File Management) Read or modify phone book entries Even change the IMSI of the SIM (!) In case of Java Card, can be download of card applets Applets are stored permanently on SIM Can later use SAT procedures to interact with ME TS 03.19 specifies Java API to access SAT from Java RE Harald Welte Osmocom SIMtrace November 2014 17 / 30

  18. SIM Cards SIM Application Toolkit (SAT) SAT - Data download SAT Data Download can happen via via SMS or Cell Broadcast Uses TS 03.40 TP-PID SIM DATA Download ME forwards such SMS to the SIM in ENVELOPE APDU Response from SIM is sent back as MO-SMS or DELIVERY REPORT via BIP (Bearer Independent Protocol) Dedicated CSD call between network and SIM GPRS session between network and SIM Harald Welte Osmocom SIMtrace November 2014 18 / 30

  19. SIM Cards SIM Application Toolkit (SAT) SAT - Data download Data download security GSM TS 03.48 specifies secure messaging for data download Includes replay protection Supports DES and 3DES SMS chaining for long commands / large data Harald Welte Osmocom SIMtrace November 2014 19 / 30

  20. SIM Cards SIM threat model SIM card abuse by hostile operator Even if the phone might be considered trusted, the SIM card is owned and controlled by the operator Using SAT features, the operator can control many aspects of the phone Examples Remotely reading address book / stored SMS Monitor user behavior (browser termination, idle screen, ...) Ask phone to establish packet data session Harald Welte Osmocom SIMtrace November 2014 20 / 30

  21. SIM Cards SIM threat model SIM card re-programming by attacker If the SIM is not properly secured (auth + encryption keys, ...) a third party attacker can send SAT envelope SMS to the card and install resident Java applets The attacker can then Obtain detailed location information and send it via SMS Intercept/log outgoing calls Sending copies of incoming + outgoing SMS elsewhere Even using SIM card channel to exploit baseband stack is feasible Harald Welte Osmocom SIMtrace November 2014 21 / 30

  22. SIM Cards SIM threat model SIM card proxy / MITM by attacker As soon as an attacker has temporary physical access to a phone, he can Insert a proxy-SIM between real SIM and phone Do everything a Java applet could do, but even with a securely configured SIM as he does not modify the existing SIM Sniff current Kc and send it out e.g. via SMS or even UDP/TCP packets over GPRS ... by only using standard interfaces that are common among all phones (as opposed to baseband software hacking which is very model-specific) Most users would never notice this as they rarely check their SIM slot Harald Welte Osmocom SIMtrace November 2014 22 / 30

  23. SIM Cards SIM attacks countermeasures Defending against SIM based attacks SIM cards are Operator issued, Ki is on the SIM SIM card can thus not be replaced, but original SIM must be used Configure telephone to not store contacts or SMS on SIM Communication between SIM and ME is not encrypted/authenticated Solution: Proxy SIM between SIM and ME to break STK / OTA Filter all STK/OTA/Proactive commands like ENVELOPE Indicate lack of STK support to ME (EF.Phase) Harald Welte Osmocom SIMtrace November 2014 23 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

osmocom.org - FOSS for mobile networks community based Free / Open Source Software for

osmocom.org - FOSS for mobile networks community based Free / Open Source Software for

Researching communications systems Bootstrapping Osmocom The Osmocom project osmocom.org - FOSS for mobile networks community based Free / Open Source Software for communications Harald Welte <hwelte@sysmocom.de> gnumonks.org

782 views • 36 slides
Osmocom TTCN-3 Test Suites Harald Welte <laforge@gnumonks.org> Osmocom TTCN-3 Test Suites

Osmocom TTCN-3 Test Suites Harald Welte <laforge@gnumonks.org> Osmocom TTCN-3 Test Suites

Osmocom TTCN-3 Test Suites Harald Welte <laforge@gnumonks.org> Osmocom TTCN-3 Test Suites developed in 2017+2018 compiled using Eclipse TITAN uses just a command-line compiler + Makefiles no IDE needed at all, dont let Eclipse fool you

805 views • 21 slides
osmocom.org - FOSS for mobile comms community based Free / Open Source Software for

osmocom.org - FOSS for mobile comms community based Free / Open Source Software for

Researching communications systems The Osmocom project Non-osmocom projects osmocom.org - FOSS for mobile comms community based Free / Open Source Software for communications Harald Welte <laforge@gnumonks.org> gnumonks.org

1.15k views • 43 slides
osmocom.org - FOSS for mobile comms community based Free / Open Source Software for

osmocom.org - FOSS for mobile comms community based Free / Open Source Software for

Researching communications systems Bootstrapping Osmocom The Osmocom project osmocom.org - FOSS for mobile comms community based Free / Open Source Software for communications Harald Welte <laforge@gnumonks.org> gnumonks.org

959 views • 36 slides
osmocom: Overview of our SDR projects rtl-sdr, gr-osmosdr, osmo-tetra, osmo-gmr, gr-fosphor and

osmocom: Overview of our SDR projects rtl-sdr, gr-osmosdr, osmo-tetra, osmo-gmr, gr-fosphor and

Introduction Radio frontends Signal browsing Protocols The End osmocom: Overview of our SDR projects rtl-sdr, gr-osmosdr, osmo-tetra, osmo-gmr, gr-fosphor and more ! Sylvain Munaut FOSDEM 2014, February 2nd, 2014 Sylvain Munaut osmocom:

314 views • 18 slides
Year 2017 Osmocom retrospective Harald Welte <laforge@gnumonks.org> 2017 - a year of change

Year 2017 Osmocom retrospective Harald Welte <laforge@gnumonks.org> 2017 - a year of change

Year 2017 Osmocom retrospective Harald Welte <laforge@gnumonks.org> 2017 - a year of change Osmocom CNI (Cellular Network Infrastructure) has changed a lot: software changes team / developer changes sysmocom company focus changes 2017 -

342 views • 20 slides
Osmocom Testing Initiative Harald Welte <laforge@gnumonks.org> split NITB aftermath (the

Osmocom Testing Initiative Harald Welte <laforge@gnumonks.org> split NITB aftermath (the

Osmocom Testing Initiative Harald Welte <laforge@gnumonks.org> split NITB aftermath (the good parts) biggest architectural change since we started in 2008 lots of good reasons and design improvements finite state machines with proper

449 views • 26 slides
Cellular Base Station Technology Harald Welte laforge@gnumonks.org osmocom.org / sysmocom.de

Cellular Base Station Technology Harald Welte laforge@gnumonks.org osmocom.org / sysmocom.de

Introduction Evolution of Cell Sites back-haul, hardware, software Cellular Base Station Technology Harald Welte laforge@gnumonks.org osmocom.org / sysmocom.de September 2019, CCCB Datengarten 1 / 41 (CC-BY-SA) Harald Welte

591 views • 45 slides
SIM card technology from A(PDU) to X(RES) Harald Welte osmocom.org Chaos Communication Congress

SIM card technology from A(PDU) to X(RES) Harald Welte osmocom.org Chaos Communication Congress

SIM card technology from A(PDU) to X(RES) Harald Welte osmocom.org Chaos Communication Congress 2019 Harald Welte SIM card technology from A(PDU) to X(RES) Outline Relevant Specs + Spec Bodies Card Interfaces, Protocols Card File System

389 views • 36 slides
Free / Open Source Software for GSM Harald Welte gnumonks.org OpenBSC airprobe.org osmocom.org

Free / Open Source Software for GSM Harald Welte gnumonks.org OpenBSC airprobe.org osmocom.org

Free / Open Source Software for GSM Harald Welte gnumonks.org OpenBSC airprobe.org osmocom.org hmw-consulting.de December 2010, Taiwan 1 / 54 Harald Welte Free / Open Source Software for GSM OpenBSC OsmocomBB Project wireshark Protocol

901 views • 54 slides
GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC

GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC

Introduction GSM security problems The False BTS Security beyond the Um interface GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC TIB, Taipei/TAIWAN 1 / 77 Harald Welte GSM Security Problems

1.19k views • 77 slides
OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de PHN2011, May 2011, Berlin/Germany

619 views • 43 slides
OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

TETRA Introduction TETRA Technical Intro TETRA Data Services Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de EH2011, April 2011,

693 views • 40 slides
OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org

TETRA Introduction TETRA Technical Intro Osmocom TETRA OsmocomTETRA Researching TETRA and its security Harald Welte gnumonks.org gpl-violations.org OpenBSC OsmocomBB hmw-consulting.de SRLabs, January 2011, Berlin/Germany Harald Welte

462 views • 33 slides
Erlang SCCP/TCAP/MAP Implementations Harald Welte <laforge@gnumonks.org> gnumonks.org

Erlang SCCP/TCAP/MAP Implementations Harald Welte <laforge@gnumonks.org> gnumonks.org

The GSM core network Erlang in Osmocom Core Network protocol implementations Erlang SCCP/TCAP/MAP Implementations Harald Welte <laforge@gnumonks.org> gnumonks.org hmw-consulting.de sysmocom GmbH October 13, 2012 - OSDC.fr - Paris /

1.06k views • 35 slides
Free Software for GSM cellular telephony OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB Harald Welte

Free Software for GSM cellular telephony OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB Harald Welte

Researching GSM/3G security OpenBSC OsmocomBB Project OpenBTS, airprobe and wireshark Free Software for GSM cellular telephony OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB Harald Welte gnumonks.org gpl-violations.org osmocom.org airprobe.org

1.3k views • 72 slides
Disclosures RAIN 2014 None Cases from San Francisco General Hospital John Betjemann, MD

Disclosures RAIN 2014 None Cases from San Francisco General Hospital John Betjemann, MD

2/14/2014 Disclosures RAIN 2014 None Cases from San Francisco General Hospital John Betjemann, MD SFGH Case 1 History Relationship with UCSF since 1873 60 yo Asian woman with acute onset LE numbness San Franciscos main

298 views • 8 slides
Molecular Design of Bifunctional Cp*Ru Catalysts for Asymmetric Synthesis Masato Ito & Takao

Molecular Design of Bifunctional Cp*Ru Catalysts for Asymmetric Synthesis Masato Ito & Takao

Molecular Design of Bifunctional Cp*Ru Catalysts for Asymmetric Synthesis Masato Ito & Takao Ikariya IMCE. Kyushu University & Tokyo Tech. Nov. 12, 2009 @ IKCOC-11 (OP-28) DIRECT HYDROGENATION OF POLARIZED CO BONDs H O O

578 views • 21 slides
MOL2NET, 2017 , 3, doi:10.3390/mol2net-03-xxxx 2 thus providing pure lactone 3 , or alternatively,

MOL2NET, 2017 , 3, doi:10.3390/mol2net-03-xxxx 2 thus providing pure lactone 3 , or alternatively,

MOL2NET, 2017 , 3, doi:10.3390/mol2net-03-xxxx 1 MDPI MOL2NET, International Conference Series on Multidisciplinary Sciences http://sciforum.net/conference/mol2net-03 A more efficient catalyst for the cycloisomerization of alkynoic acids Nerea

210 views • 4 slides
Topics Hydrolysis Aquo metal ion gives rise to hydroxo complexes Iron Hydroxide

Topics Hydrolysis Aquo metal ion gives rise to hydroxo complexes Iron Hydroxide

CEE 680 Lecture #35 3/30/2020 Print version Updated: 30 March 2020 Lecture #35 Precipitation and Dissolution: Iron Hydroxides (Stumm & Morgan, Chapt.7) Benjamin; Chapter 8.7 8.15 David Reckhow CEE 680 #35 1 Topics Hydrolysis

403 views • 14 slides
Mobile Weather Station for Crowdsource based on OceanConnect Platform

Mobile Weather Station for Crowdsource based on OceanConnect Platform

Mobile Internet Project Report Mobile Weather Station for Crowdsource based on OceanConnect Platform INTRODUCTION 1 What is NB-IOT? Why we choose NB-IOT? HARDWARE &

411 views • 20 slides
An analytic logic of aggregation Patrick Girard and Jeremy Seligman University of Auckland ICLA

An analytic logic of aggregation Patrick Girard and Jeremy Seligman University of Auckland ICLA

An analytic logic of aggregation Patrick Girard and Jeremy Seligman University of Auckland ICLA 2009, Chennai 9 January 2009 Hierarchy Agreement Subordination Basic Preference Logic Start with a basic preference order (reflexive and

280 views • 23 slides
Probing Cosmic Reionization at z~7 with Lya Galaxies from the LAGER Survey LAGER: Lyman Alpha

Probing Cosmic Reionization at z~7 with Lya Galaxies from the LAGER Survey LAGER: Lyman Alpha

Probing Cosmic Reionization at z~7 with Lya Galaxies from the LAGER Survey LAGER: Lyman Alpha Galaxies in the Epoch of Reionization Zhenya ZHENG Shanghai Astronomical Observatory On behalf of the LAGER Team Lyman Alpha Galaxies in the

486 views • 26 slides
CS 241: Systems Programming Lecture 34. Advanced Git Fall 2019 Prof. Stephen Checkoway 1 Using

CS 241: Systems Programming Lecture 34. Advanced Git Fall 2019 Prof. Stephen Checkoway 1 Using

CS 241: Systems Programming Lecture 34. Advanced Git Fall 2019 Prof. Stephen Checkoway 1 Using "branches" Development and release versions Trying out new features Focusing on fixing a bug Simpler to do in Git than other VCS, consider

1.02k views • 63 slides

More recommend