
Rooting SIM cards - blumentopf
https://srlabs.de/rooting-sim-cards/
======
ChuckMcM
Per the earlier discussion, that sounds waaaay to straight forward. Now I need
to figure out if my phone is vulnerable.

~~~
X-Istence
As someone working in security ... this does not surprise me at all.

------
e12e
So, even if the vulnerability (with insecure keys) is fixed, unless the
architecture is changed, I suppose all sim-cards will remain wide-open to
intelligence services -- as one would have to assume that they'd put quite an
effort into getting their hands on a copy of these keys.

~~~
yaantc
The architecture is fine. A better explanation would be: if an incompetent
operator use obsolete technology then its SIM card can be hacked. But any
half-decent should be immune to this (there are billions of SIMs, and here
it's "millions" only vulnerable).

First, in a proper network the mobile device and the network mutually
authenticate themselves. So the cell can't be faked. Then it's very easy for
the network to filter such management SMS and only allow them from their
trusted server. It's a very basic security precaution. If done, you don't
depend on the SIM crypto scheme for secure SMS, but here too using DES is a
joke and 3DES / AES have been available for ages.

So I guess it's another sensationalistic report made to draw readers for most.

As for intelligence services, they already have access for domestic operators.
This could only be for foreign and loosy operators maybe.

------
conroy
I had no idea that SIM cards executed code. I naively assumed they just
contained hard-coded information, similar to a credit card. The fast that they
execute Java applets blows my mind.

~~~
pygy_
AFAIK, all smart cards (including credit cards) contain a microcontroller.

[0]
[https://en.wikipedia.org/wiki/Smart_card](https://en.wikipedia.org/wiki/Smart_card)

------
chime
Since iOS doesn't run Java applets, would all iPhones be safe from this? Or
does this mean SIM cards run some form of JVM and can be infected regardless
of the phone OS?

~~~
jdbernard
The latter. A SIM chip is a microprocessor with it's own OS. Many SIMs today
run a version of the JVM that has been stripped down and retooled for the more
constrained environment on the smart card (see
[http://en.wikipedia.org/wiki/Java_Card](http://en.wikipedia.org/wiki/Java_Card)).

However, I would be very surprised if a phone bought in the last 5 years was
susceptible to this attack. I used to work for one of the leading providers of
SIM chips and almost all of our product was using 3DES or AES, and that was
several years ago.

~~~
lukego
I've seen freshly built networks about 5 years ago that had no encryption or
authentication what-so-ever on their SIM cards. Anybody could "brick" any SIM
with an OTA command to overwrite the IMSI file, or intercept SMSes by
overwriting the SMS service center address, etc.

SIM vendor didn't want to install crypto keys for free, network operator
didn't understand the importance...

~~~
noja
What's an easy way an end-user can check for this?

~~~
lukego
Here are some ways, easiest first:

1\. Use a USB SIM card reader to see the contents of the standard files on
your SIM to see if encryption is enabled.

2\. Use a SIM-OTA system to send a command and see if it works. For example,
overwrite your Service Provider Name (SPN) file with "Foobar", reboot your
phone, and see if you now see this name instead of "AT&T" (or whatever).

3\. Build your own SIM OTA system and do the above. This is easy. You just
need a way to send SMS with the OTA bit set: e.g. a USB GSM modem on a network
that allows it or an internet SMS gateway that allows it.

GSM 11.11 spec tells you what files are on the standard SIM card (including
crypto settings):
[http://www.etsi.org/deliver/etsi_ts/101200_101299/101267/08....](http://www.etsi.org/deliver/etsi_ts/101200_101299/101267/08.18.00_60/ts_101267v081800p.pdf)

GSM 03.48 spec tells you how to encode SMS-OTA messages:
[http://www.etsi.org/deliver/etsi_ts/101100_101199/101181/08....](http://www.etsi.org/deliver/etsi_ts/101100_101199/101181/08.09.00_60/)

I built a commercial SIM-OTA platform about 6-7 years ago that's sold by a big
OEM. This was interesting: SIM card vendors really don't like the idea of
network operators being able to independently do stuff with the SIMs they buy.

