How do criminals steal your numbers and what is SIM hijacking? (Part 2)

19 June 2024 14 minutes Author: Cyber Witcher

In the first part of the article, we focused on AT commands. In this part, we’ll look at the capabilities of the SIM Application Toolkit (STK), which allow the operator and applications to interact with the SIM card to perform various tasks, including managing network functions and security. Special attention is paid to the potential vulnerabilities of STK and the ways in which attackers can exploit these features for attacks.

Disclaimer: This article is prepared on the basis of information from open sources and is for educational purposes only. Its goal is to help understand the techniques attackers can use so users can better protect themselves. We do not support any illegal activities and encourage you to use this knowledge only to improve your own security.

Let’s continue

Some SIM cards have additional features for remote access to network operators for maintenance or customer-enhancing services, such as credit, weather or banking services. These tasks are performed using SIM applets — programs installed on the SIM card. They use STK commands and routines to interact with compatible mobile devices, enabling external communications.

The STK application can be accessed through the main menu or device settings. Sometimes this requires USSD (unstructured supplementary service data) codes, which consist of a combination of numbers with a hash (#) and an asterisk (*).

Sample SIM Toolkit (STK) menu icon on Pixel 4a.
Sample SIM Toolkit Application (STK) menu item on Nokia 3330.

Access SUT STK app on Samsung S6 with USSD code *888#.

STK-capable SIM cards can be identified through the DF_GSM directory (3F00/7F20), which contains the “GSM SIM service table”. This table lists all the information related to the network. It also allows you to get data about the services used by the SIM Application Toolkit (SUT). Below is an example:

STK-related services identified on the SUT using SIMspy II.

Below are some services/applications with example screenshot:

  • SMS-Cell Broadcast Data Download is used to deliver a message to all mobile equipment in a certain area.

  • SMS-Point-to-Point Data Download is used to initialize the SIM card.

  • A proactive SIM card defines communication protocols between the SIM card and the mobile device. It offers various commands that the SIM card can issue directly to the mobile phone, such as SHOW TEXT, PLAY BEEP, START ON COMMAND, SETUP CALL, SEND SHORT MESSAGE, SEND DTMF and many more.

TAR (Toolkit Application Guide)

Toolkit Application References (TARs) are used to accurately identify services or applications in a tooling mechanism (eg SMS-Cell Broadcast Data Download, SMS Point-to-Point Data Download, Proactive SIM, etc.). TARs uniquely identify services or applications using a number range from 000001 to FFFFFF. Below is more information about the meanings of TAR and their categories.

  • Tar: 000000, Category: Card Manager

  • Tar: 000001 to AFFFFF, Category: Allocated by Tier 1 Program Issuer

  • Tar: B00000to B0FFFF Category: Remote File Management (RFM)

  • Tare: B10000 to B1FFFF, Category: Payment application

  • Tare: B20000 to BFFEFF, Category: RFS

  • Tar: BFFF00to BFFFFF, Category: Toolkit Proprietary

  • Tar: C00000 to FFFFFF, Category: Allocated by Tier 1 Program Issuer

TARs enable features and services used by operators to remotely communicate with SIM cards, install applications and manage their content. Access to data in TAR is possible only with ADM keys, the number of input attempts of which is limited to 5-8 times. Lack of valid keys may cause the SIM card to malfunction. However, due to security flaws, some TARs can be obtained without keys via special SMS.

We collected a collection of SIM cards from many operators for vulnerability research. Some of the SIM cards were purchased online or sent by friends from abroad. Although some of them were inactive in the network, they were still useful for analysis. Most SIM cards required active credit, otherwise the activation process and tests were impossible.

Some SIM cards.

During this study, we tested more than 60 SIM cards. Below is a breakdown of networks and origins:

  • Giffgaff (UK) * 16

  • Lebara (Great Britain) * 8

  • O2 (Great Britain) * 6

  • T-Mobile (Great Britain) * 5

  • Lyca Mobile (Great Britain) * 4

  • Smarty (Great Britain) * 3

  • VOXY (Great Britain) * 2

  • EE (Great Britain) * 2

  • Vodafone (Great Britain) * 2

  • 3 (Great Britain) * 2

  • Tesco Mobile (Great Britain) * 2

  • Wind Tre (Italy) * 2

  • Talk Home (Great Britain) * 1

  • ASDA Mobile (Great Britain) * 1

  • Vodafone (Italy) * 1

  • Vodacom (Tanzania) * 1

  • Salt Mobile (Switzerland) * 1

  • Natel (Switzerland) * 1

  • Kölbi (Costa Rica) * 1

It seemed that many of the SIM cards I had were vulnerable to SIM theft attacks through unsecured apps. To identify vulnerable applications, I checked all TARs used by applications in the SUT and identified those that returned an unprotected response (such as KIC and KIK). SIMTester identified various remote file management (RFM)-related TARs that could be available via OTA SMS for push commands. It is important to note that these SIM cards were manufactured at different times, but many of them are still available for purchase. Below are screenshots demonstrating the process of identifying vulnerable TARs and the results of testing vulnerable SIM cards using SIMTester.

Using SIMTester, a TAR scan can take years.
A SIM card potentially vulnerable to a RAM attack.
Example of a SIM card vulnerable to an RFM attack (B00001/2:SIM, B00010:USIM).
The SIM card is vulnerable to SIMjacker via S@T Browser.

Налаштування тестування

We used a limited demo version of NowSMS, hoping to learn about Over The Air (OTA) and how to remotely launch services/apps on vulnerable SIM cards using SMS. NowSMS is an SMS and MMS gateway solution ($449.00 USD for full version).

NowSMS SMS&MMS Gateway software GUI and its web interface.

The NowSMS server software was installed on my laptop (gateway) and I used a Samsung S6 (GSM modem) for the client.

Now SMS modem on Samsung S6.

The SMS messages were sent to a Nokia 3330 (a variant of the famous Nokia 3310) connected to another laptop using an F-BUS data cable (model DAU-05B) and a USB to RS232 converter combined with the dct3-gsmtap utility, run the well-known Wireshark utility to traffic analysis.

Serial PIN codes on Nokia 3330.
Nokia USB F-BUS cable connected between battery and serial PINs.
Environment settings.

This made it possible to receive GSM data (forward and backward) after enabling a secret menu called NetMonitor on the Nokia 3330. This process can be done using a tool called gnokii.

An example of a received SMS in open form.

The NetMonitor menu, available on various Nokia phones, consists of a set of displays that provide a wealth of SIM, phone, and network information.

Below is a list of available displays:

  • Display 1: Cell information

  • Display 2: Additional information about the serving cell

  • Display 3: serving cell, 1st and 2nd neighbors

  • Display 4 and 5: 3-8 adjacent cells

  • Display 6: Network selection display

  • Display 7: system information bits for the serving cell

  • Display 10: Paging Retry Period, TMSI, Location Update Timer, AFC and AGC

  • Display 12: Encryption, switching, DTX and IMSI status

  • Display 13: Uplink DTX switching display

  • Display 14: Toggle shielding indicator

  • Display 17: “BTS Test” status switch.

  • Display 18: lighting status control

  • Display 19: Toggle cell lock status

  • Display 20: charging status

  • Display 21: Display of constant charging voltage

  • Display 22: Full battery detection

  • Display 23: Battery and phone status monitor

  • Display 24: BSI value

  • Display 30: Audio API register display

  • Display 34: FBUS display

  • Display 35: Reasons for software reset

  • Display 36: Counters to reset

  • Display 39: Information about the reasons for canceling the call

  • Display 40: reset transmission counters

  • Display 41 (single lane): transmission display

  • Display 41 (dual-band): transmission display, INTER CELL

  • Display 42 (dual-band): transmission display, INTRA CELL

  • Display 43 L2 display

  • Display 44: Switch version level

  • Display 45: Switching transmitter functions

  • Display 51: SIM information

  • Display 54: block display 1

  • Display 55: Lock display 2

  • Display 56: block display 3

  • Display 57: Memory status before reset

  • Display 60: reset counters to zero

  • Display 61: Search and reselection counter display

  • Display 61 (dual-band): Search and reselection counter display

  • Display 62: Neighbor measurement counter display

  • Display 63: Counters of call attempts

  • Display 64: Location update attempt counters

  • Display 65: Counters of SMS attempts

  • Display 66: SMS timeout counters

  • Display 70: DSP time counters

  • Display 71 and 72: Control DSP 1 and 2 sound enhancements

  • Display 73: General display for DSP Audio Enhancements

  • Display 74: DSP 1 Sound Enhancement (DRC)

  • Display 75: Audio path status

  • Display 76: Ear (= SownLink) sound display

  • Display 77: Display audio from microphone (= UpLink).

  • Display 78: DSP Audio Enhancement (AEC)

  • Display 79: Sound equalizer display

  • Display 80: Reset and restart timers

  • Display 81: enable or disable timers

  • Display 82: Test timer display

  • Display 83: control the display of job information

  • Display 84, 85 and 86: Information about the task

  • Display 87: Information about OS_SYSTEM_STACK

  • Display 88: Information about the current MCU and DSP software versions

  • Display 88 (Nokia 9210): Organizer version information

  • Display 89: Information about current HW and TXT versions

  • Display 89 (Nokia 9210): information about the version of the telephone part

  • Display 96 (Nokia 3210): receiver temperature

  • Display 99 (Nokia 7110): FBUS mode and accessory mode

  • Display 100 (Nokia 7110, 62XX): internal memory usage, overview

  • Display 102 (Nokia 9210): Type of last data call

  • Display 103 (Nokia 9210): Type of last MT call

  • Display 107 (Nokia 62XX): voice dialing function

  • Display 110-115 (Nokia 7110, Nokia 62XX): internal memory usage, details

  • Display 130 (Nokia 7110): Open the counter

  • Display 132 (Nokia 3310): call information

  • Display 133 (Nokia 3310): Information about the charger

  • Display 240 (no output): Clear counters and start timers

  • Display 241 (no output): Disable the NetMonitor menu

  • Display 242 (no output): Disable R&D field test displays

Access to display 01 secret menu of NetMonitor on Nokia 3310.

Access to display 11 of NetMonitor secret menu on Nokia 3310.
Access to display 62 of NetMonitor secret menu on Nokia 3310.

Display 17 is the next hidden option in the NetMonitor menu and can be enabled by creating a SIM phonebook entry called “BTS TEST” in position 33 of the contact list, using the cell tower ID number as the contact’s phone number. This can also be done with gnokii using the following phonebook entry:

// Ім'я запису; Cell ID, Location; посада; Ярлик
 BTS TEST;113;SM;33;5

Display 17 allows a mobile device to be “tethered” to a single cell tower, and when using this feature, no information is transmitted to neighboring cells, but data can still be sent and received without problems. Since IMSI catchers profit by creating fake cell towers and victims connect to them because of stronger signal strength, Display 17 certainly needs further investigation.

Looking at display 3, information was being transmitted between adjacent cells when BTS TEST was turned off.
Enabling the “BTS TEST” function to work on channel 113 (Cell Tower ID 113, visible in the previous screenshot).
Cell towers no longer exchanged data when a mobile device was forced to connect to a cell tower with ID 113.

SHORT MESSAGE SERVICE (SMS)

An SMS can be sent through a mobile device, a computer or a server and transmitted to a Short Message Service Center (SMSC), which ultimately routes it to its destination. Although the process of sending and receiving SMS seems simple, it involves several roles and routes that define the type of SMS. The short message service consists of two main services:

  • Short Message Mobile Terminated (SM MT), this service refers to SMS received on the subscriber’s mobile device. In this case, the type of SMS is defined as SMS DELIVERY.

  • Short Message Mobile Originated (SM MO), this service refers to SMS sent from the subscriber’s mobile device. The type of SMS that this action will result in is defined as SMS-SUBMIT.

There may be cases where a subsequent SMS defined as SMS-STATUS-REPORT is sent by the SMSC to the sending mobile device to confirm that the destination address (DA) has successfully received the SMS.

SMS-SUBMIT and SMS-DELIVER process.

All outgoing SMS messages sent using NowSMS have been listed in the web admin interface and encoded in Protocol Data Format (PDU) according to the GSM 7-bit standard. This meant that all SMS PDUs could be parsed, discarded, configured and reused.

PDU messages can be sent via USB modem (or compatible phone) using Minicom. Below is an example of how to send an SMS-SUBMIT PDU containing the text “Hello SensePost” using Minicom.

AT+CMGS=27// Довжина октетів (70 символів / 2 - 8 SMSC) > 079144872000626001000C9144573227562000000FC8329BFD064DCBEE7919FA9ED301// Тут необхідно натиснути Ctrl+Z замість ENTER

Below is a table describing each part (octets) of the above payload. SMS PDU decoders are also easily found online – for example https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-submit-pdu-decoder/ . The python SMS PDU module ( pip install smspdu) was also a handy tool for creating the correct payload.

  • Octet: 07, reference: address length

  • Octet: 91, TP Field: Address Type, Link: 91 International (81 National)

  • Octet: International 448720006260 National 7008022660F (F == padding), TP Field: SMSC, Link: International (+447802002606)

  • Octet: 01, TP field: TP-MTI, link: message type indicator – SMS-SUBMIT (21 SMS-SUBMIT + request report status)

  • Octet: 00, TP Field: TP-MR, Reference: Message Reference

  • Octet: 0C, link: address length in half-octets

  • Octet: 91, TP Field: Address Type, Link: 91 International

  • Octet: 441122334455, TP Field: TP-DA, Reference: Destination Address (+441122334455)

  • Octet: 00, TP Field: TP-PID, Reference: Protocol Identifier

  • Octet: 00, TP Field: TP-DCS, Reference: Data Coding Scheme

  • Octet: 0F, TP Field: TP-UDL, Reference: User Data Length

  • Octet: C8329BFD064DCBEE7919FA9ED301, TP Field: TP-UD, Reference: User Data (Hello SensePost)

SMSC can also be omitted (00). In this case, the default will be used. Stored on the SIM card (EFsmsp – SM Service Settings).

Usually, the SMS is automatically saved on the SIM card after receiving from the mobile device. The option to delete or save the SMS is available to the subscriber later. However, the SMS classes can be used to specify where the SMS should be stored.

  • Class 0: When using this class, the SMS will appear on the recipient’s mobile phone screen and no user intervention is required. This SMS will be automatically deleted after a very short time (default is 5 minutes, but can also be set to 0 seconds, which will result in an invisible SMS) unless the user chooses to save it. To use this class, the Data Coding Scheme (TP-DCS) field must be set to 10.

  • Class 1: This class indicates that the SMS will be stored in the device memory or on the SIM card. The TP-DCS field must be set to 11.

  • Class 2: This class is used when the SMS contains SIM card data. For this class, the Data Coding Scheme (TP-DCS) must be set to 12.

  • Class 3: This class indicates that the SMS will be forwarded to an external device once received. In this case, the TP-DCS field should be set to 13.

Below is a simple Class 0 SMS PDU (no further testing was done on other SMS class types) followed by an example of how to abuse this feature.

AT+CMGS=28
0001000C9144112233445500 10 114676788E064D9B53500B34A7D7E96D
Standard Class 0 SMS.
Sample SMiShing from SMS class 0.

Although the following only works on older phones (mostly Nokia), below is an example of WAP OTA service settings that can also be sent via SMS.

<!-- TP-USER-DATA -->
<?xml version="1.0"?>
<!DOCTYPE CHARACTERISTIC-LIST SYSTEM "file://c:/settingspush/settings.dtd" >
<СПИСОК ХАРАКТЕРИСТИК>
<CHARACTERISTIC TYPE="ADDRESS">
<PARM NAME="BEARER" VALUE="GSM/CSD"/>
<PARM NAME="PROXY" VALUE="52.85.104.62"/>
<PARM NAME="CSD_DIALSTRING" VALUE="+44123456"/>
<PARM NAME="PPP_AUTHTYPE" VALUE="PAP"/>
<PARM NAME="PPP_AUTHNAME" VALUE="stutm"/>
<PARM NAME="PPP_AUTHSERCRET" VALUE="password123"/>
<PARM NAME="CSD_CALLTYPE" VALUE="ANALOGUE"/>
<PARM NAME="CSD_CALLSPEED" VALUE="AUTO"/>
</ХАРАКТЕРИСТИКА>
<CHARACTERISTIC TYPE="URL" VALUE=" https://sensepost.com "/>
<CHARACTERISTIC TYPE="NAME">
<PARM NAME="NAME" VALUE="SensePost:)"/>
</ХАРАКТЕРИСТИКА>
<CHARACTERISTIC TYPE="BOOKMARK">
<PARM NAME="NAME" VALUE="Wap"/>
<PARM NAME="URL" VALUE=" https://sensepost.com "/>
</ХАРАКТЕРИСТИКА>
</CHARACTERISTIC-LIST>
// Перше SMS PDU
AT+CMGS=155
>0051000C9144571651228900F5A78C0B0504C34FC002000304020101062C1F2A6170706C69636174696F6E2F782D7761702D70726F762E62726F777365722D73657474696E67730081EA01016A0045C60601871245018713110335322E38352E3130342E36320001872111032B343431323334353600018722700187231103737475746D00018724110370617373776F726431323300018728720187
// Другий PDU SMS
AT+CMGS=123
>0051000C9144571651228900F5A75D 0B0504C34FC0020003040202296A01018607110368747470733A2F2F73656E7365706F73742E636F6D0001C60801 8715110353656E7365506F73743A29000101C67F0187151103737475746D3 A2900018717110368747470733A2F2F73656E7365706F73742E636F6D00010 101

Setting up the WAP OTA service.

Conclusion

In this post, we’ve covered many aspects related to a SIM card, including physical specifications, internal software, methods of interacting with apps, and testing them on a SIM card. In addition, we discussed information about SMS messages, including how to send custom SMS messages.

The information was taken from Sensepost’s open sources

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.