
New SIM attacks de-mystified, protection tools now available - sebst
https://srlabs.de/bites/sim_attacks_demystified/
======
narrator
The only way I've found to protect against SIM Swap is to use Google voice for
my SMS. Google has good two factor authentication and, since it has no
telephone customer service, is hardened to PII based social engineering, or at
least you can't SIM Swap somebody with just a name and an SSN.

~~~
bigiain
That's a working, but very very scary foundation for security.

"Google's customers service is _so_ fucked even the most dedicated social
engineers with the biggest of whales in their sights can't get them to do a
fucking thing."

~~~
red_phone
What’s even scarier is the premise of your comment: "Any decent customer
service operation will fall prey to social engineering."

And what's unfortunate is that you're probably right!

~~~
bigiain
To be fair, banks do an OK job of that. (Well, it's hard to take over an
account purely by remote social engineering, some of mine still blindly use
SMS as an authentication thing...)

Telcos do not secure phone numbers to banking grade security, because they
never agreed to be part of anyone's critical security posture, and their own
incentives are to make it as easy and quick as possible for customers to move
their phone numbers around. It's in the telco's interest for you to be able to
walk into a $TelcoBrand store and walk out with a functioning device with your
old number. (Or to call up their support line and do the same thing.) They
never offered to make that more difficult than it needs to be just because
companies like PayPal wanted to outsource security to be somebody else's
expense. They've been actively recommending against it since forever:

[https://www.itnews.com.au/news/telcos-declare-sms-unsafe-
for...](https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-
transactions-322194)

~~~
mrb
« _To be fair, banks do an OK job of that_ »

Are you kidding? Banks do a terrible job. Just one data point: «Losses from
[bank] account takeovers hit $5.1 billion last year, a 120 percent increase
over 2016» [https://www.aarp.org/money/scams-fraud/info-2018/thieves-
tar...](https://www.aarp.org/money/scams-fraud/info-2018/thieves-targeting-
bank-accounts.html)

------
andrerm
SIM Swap [1] is not covered by this. SIM Swap is a social engineering attack
powered by PII leaking from everywhere and for long time. Today, SIM Swap
attackers don't even need to use phishing or buy PII from ilegal sources.
After so many leaks, peoples full name, mother name, addresses, credit cards,
SSNs are all over the internet. Just Google it.

[1]
[https://en.wikipedia.org/wiki/SIM_swap_scam](https://en.wikipedia.org/wiki/SIM_swap_scam)

~~~
borumpilot
Yeah, since that is NOT an attack against the SIM card (and code stored /
running on the SIM card) but different issue completely.

------
umeshunni
Out of curiosity, do eSIMs, now common in newer phones, make these kind of
attacks less likely or more likely? It seems like they would be more likely
since there's no physical component anymore.

~~~
yaantc
No difference, because there is still a physical component ;) Where a normal
SIM card is removable, with an eSIM the chip is soldered on the device. But
there is still the same secure chip as in a removable SIM card really, it just
takes a lot less space. Because it is soldered, it must be possible to
remotely change the content of the SIM, for example to change your telco
operator. How to do this securely and in a standard way is what eSIM is all
about.

The technical name for a SIM card is UICC (Universal Integrated Circuit Card
IIRC). eSIM is eUICC. The next step is iUICC, for an integrated on die
function. There is no separate chip then, it's integrated in the modem SoC.
But the way it is standardized (on-going) the iUICC must run in a secure
enclave, with similar security level as current discrete SIM cards. So again,
no real difference: a iUICC will behave as an eUICC one from an end user point
of view. The operator do not want to reduce the security of their UICC.

~~~
derefr
Is there also some level of virtualization with eSIM, where the single chip
allows for multiple SIM "profiles" (SIM-card-ISA VMs, basically) to run on one
chip? Or are the manufacturers that claim that eSIM "allows" for multiple
simultaneous operator accounts, just putting multiple eSIM chips in their
devices?

~~~
mavhc
SIM is software, UICC is hardware (ie the card).

Always remember, there's another computer inside your phone, the UICC
computer, it contains software from the past, written by hardware people
who've never heard of security, no one's looked at the code for bugs, and it
controls your phone.

In conclusion: buy a tablet

------
iicc
Previously:

[https://news.ycombinator.com/item?id=20951578](https://news.ycombinator.com/item?id=20951578)

~~~
borumpilot
Err, no. That describes one (relatively new) attack called Simjacker.

This article / link describes this and a possible other attack (also an applet
on the SIM card, calle Wireless Internet Browser (WIB)) AND a way to test if
your sim card is vulnerable plus mitigation measures (hint: do not allow MSL
(Minimum Security Level) zero).

------
dewey
From reading this it seems that this is unrelated to the SIM Swapping attacks
that were in the news recently and are mostly customer service exploits and
not technical issues.

~~~
judge2020
ATT has an "extra security" mode that requires your account PIN even when
walking into a retail store -
[https://www.att.com/esupport/article.html#!/wireless/KM10513...](https://www.att.com/esupport/article.html#!/wireless/KM1051397)

~~~
dylz
Do you know whether this requires the person in store to enter an exact
match/have you enter it on a pinpad, and that it is absolutely not removable
in any way by any CSR, customer service, or other humans other than you
knowing it and logging in with it?

~~~
judge2020
I have no idea, but for the first one: chances are the retail employee will
enter the pin themselves.

~~~
lotsofpulp
ATT asks for the PIN over the phone too, so best practice seems to be changing
PIN after giving it to an ATT employee.

But who knows if PINs are visible to ATT employees, and what verification they
do in case PIN is forgotten. It’s all moot if any ATT employee can reset it
without a significant paper trail.

~~~
Thorrez
Even if there's a paper trail, that doesn't mean it won't happen. For example
here's a guy who got fired for transferring a number without the code:

[https://www.reddit.com/r/personalfinance/comments/6nxkbl/so_...](https://www.reddit.com/r/personalfinance/comments/6nxkbl/so_i_was_probably_fired_today/)

~~~
lotsofpulp
Well, ideally, it would lead to stricter penalties and process improvements to
prevent it from happening. And it would allow for fraud liability to be placed
on ATT causing them to care to fix the issue.

------
davidhyde
So many dates in the article and yet the article itself is not dated. Surely
that is important. Does anyone know when this was published?

~~~
borumpilot
It is dated, just not on the page itself:

[https://srlabs.de/#bites](https://srlabs.de/#bites) "27.09.2019"

------
joewee
This doesn’t cover any new attacks. Good read though.

------
hevnsnt
Testing requires PC/SC-compatible SIM card readers: SCM SCR-3310 and HID
Omnikey 3121

~~~
xaduha
There are a lot of PC/SC compatible card readers e.g. most of these

[https://ccid.apdu.fr/ccid/supported.html](https://ccid.apdu.fr/ccid/supported.html)

[https://ccid.apdu.fr/ccid/shouldwork.html](https://ccid.apdu.fr/ccid/shouldwork.html)

------
zero_k
Ah, good old days. I wrote some of the tooling back in the days. Was a lot of
fun. Damn, video cards have advanced so much in the past years I wonder how
fast that code would now run. We were using Radeon 5970s at the time --
integer performance was pretty bad on NVidia cards back then.

