In the first part of the article, we focused on AT commands. In this part, we’ll look at the capabilities of the SIM Application Toolkit (STK), which allow the operator and applications to interact with the SIM card to perform various tasks, including managing network functions and security. Special attention is paid to the potential vulnerabilities of STK and the ways in which attackers can exploit these features for attacks.
Disclaimer: This article is prepared on the basis of information from open sources and is for educational purposes only. Its goal is to help understand the techniques attackers can use so users can better protect themselves. We do not support any illegal activities and encourage you to use this knowledge only to improve your own security.
Access SUT STK app on Samsung S6 with USSD code *888#.
STK-capable SIM cards can be identified through the DF_GSM directory (3F00/7F20), which contains the “GSM SIM service table”. This table lists all the information related to the network. It also allows you to get data about the services used by the SIM Application Toolkit (SUT). Below is an example:
Below are some services/applications with example screenshot:
SMS-Cell Broadcast Data Download is used to deliver a message to all mobile equipment in a certain area.
SMS-Point-to-Point Data Download is used to initialize the SIM card.
A proactive SIM card defines communication protocols between the SIM card and the mobile device. It offers various commands that the SIM card can issue directly to the mobile phone, such as SHOW TEXT, PLAY BEEP, START ON COMMAND, SETUP CALL, SEND SHORT MESSAGE, SEND DTMF and many more.
Toolkit Application References (TARs) are used to accurately identify services or applications in a tooling mechanism (eg SMS-Cell Broadcast Data Download, SMS Point-to-Point Data Download, Proactive SIM, etc.). TARs uniquely identify services or applications using a number range from 000001 to FFFFFF. Below is more information about the meanings of TAR and their categories.
Tar: 000000, Category: Card Manager
Tar: 000001 to AFFFFF, Category: Allocated by Tier 1 Program Issuer
Tar: B00000to B0FFFF Category: Remote File Management (RFM)
Tare: B10000 to B1FFFF, Category: Payment application
Tare: B20000 to BFFEFF, Category: RFS
Tar: BFFF00to BFFFFF, Category: Toolkit Proprietary
Tar: C00000 to FFFFFF, Category: Allocated by Tier 1 Program Issuer
TARs enable features and services used by operators to remotely communicate with SIM cards, install applications and manage their content. Access to data in TAR is possible only with ADM keys, the number of input attempts of which is limited to 5-8 times. Lack of valid keys may cause the SIM card to malfunction. However, due to security flaws, some TARs can be obtained without keys via special SMS.
We collected a collection of SIM cards from many operators for vulnerability research. Some of the SIM cards were purchased online or sent by friends from abroad. Although some of them were inactive in the network, they were still useful for analysis. Most SIM cards required active credit, otherwise the activation process and tests were impossible.
During this study, we tested more than 60 SIM cards. Below is a breakdown of networks and origins:
Giffgaff (UK) * 16
Lebara (Great Britain) * 8
O2 (Great Britain) * 6
T-Mobile (Great Britain) * 5
Lyca Mobile (Great Britain) * 4
Smarty (Great Britain) * 3
VOXY (Great Britain) * 2
EE (Great Britain) * 2
Vodafone (Great Britain) * 2
3 (Great Britain) * 2
Tesco Mobile (Great Britain) * 2
Wind Tre (Italy) * 2
Talk Home (Great Britain) * 1
ASDA Mobile (Great Britain) * 1
Vodafone (Italy) * 1
Vodacom (Tanzania) * 1
Salt Mobile (Switzerland) * 1
Natel (Switzerland) * 1
Kölbi (Costa Rica) * 1
It seemed that many of the SIM cards I had were vulnerable to SIM theft attacks through unsecured apps. To identify vulnerable applications, I checked all TARs used by applications in the SUT and identified those that returned an unprotected response (such as KIC and KIK). SIMTester identified various remote file management (RFM)-related TARs that could be available via OTA SMS for push commands. It is important to note that these SIM cards were manufactured at different times, but many of them are still available for purchase. Below are screenshots demonstrating the process of identifying vulnerable TARs and the results of testing vulnerable SIM cards using SIMTester.
We used a limited demo version of NowSMS, hoping to learn about Over The Air (OTA) and how to remotely launch services/apps on vulnerable SIM cards using SMS. NowSMS is an SMS and MMS gateway solution ($449.00 USD for full version).
The NowSMS server software was installed on my laptop (gateway) and I used a Samsung S6 (GSM modem) for the client.
The SMS messages were sent to a Nokia 3330 (a variant of the famous Nokia 3310) connected to another laptop using an F-BUS data cable (model DAU-05B) and a USB to RS232 converter combined with the dct3-gsmtap utility, run the well-known Wireshark utility to traffic analysis.
This made it possible to receive GSM data (forward and backward) after enabling a secret menu called NetMonitor on the Nokia 3330. This process can be done using a tool called gnokii.
The NetMonitor menu, available on various Nokia phones, consists of a set of displays that provide a wealth of SIM, phone, and network information.
Below is a list of available displays:
Display 1: Cell information
Display 2: Additional information about the serving cell
Display 3: serving cell, 1st and 2nd neighbors
Display 4 and 5: 3-8 adjacent cells
Display 6: Network selection display
Display 7: system information bits for the serving cell
Display 10: Paging Retry Period, TMSI, Location Update Timer, AFC and AGC
Display 12: Encryption, switching, DTX and IMSI status
Display 13: Uplink DTX switching display
Display 14: Toggle shielding indicator
Display 17: “BTS Test” status switch.
Display 18: lighting status control
Display 19: Toggle cell lock status
Display 20: charging status
Display 21: Display of constant charging voltage
Display 22: Full battery detection
Display 23: Battery and phone status monitor
Display 24: BSI value
Display 30: Audio API register display
Display 34: FBUS display
Display 35: Reasons for software reset
Display 36: Counters to reset
Display 39: Information about the reasons for canceling the call
Display 40: reset transmission counters
Display 41 (single lane): transmission display
Display 41 (dual-band): transmission display, INTER CELL
Display 42 (dual-band): transmission display, INTRA CELL
Display 43 L2 display
Display 44: Switch version level
Display 45: Switching transmitter functions
Display 51: SIM information
Display 54: block display 1
Display 55: Lock display 2
Display 56: block display 3
Display 57: Memory status before reset
Display 60: reset counters to zero
Display 61: Search and reselection counter display
Display 61 (dual-band): Search and reselection counter display
Display 62: Neighbor measurement counter display
Display 63: Counters of call attempts
Display 64: Location update attempt counters
Display 65: Counters of SMS attempts
Display 66: SMS timeout counters
Display 70: DSP time counters
Display 71 and 72: Control DSP 1 and 2 sound enhancements
Display 73: General display for DSP Audio Enhancements
Display 74: DSP 1 Sound Enhancement (DRC)
Display 75: Audio path status
Display 76: Ear (= SownLink) sound display
Display 77: Display audio from microphone (= UpLink).
Display 78: DSP Audio Enhancement (AEC)
Display 79: Sound equalizer display
Display 80: Reset and restart timers
Display 81: enable or disable timers
Display 82: Test timer display
Display 83: control the display of job information
Display 84, 85 and 86: Information about the task
Display 87: Information about OS_SYSTEM_STACK
Display 88: Information about the current MCU and DSP software versions
Display 88 (Nokia 9210): Organizer version information
Display 89: Information about current HW and TXT versions
Display 89 (Nokia 9210): information about the version of the telephone part
Display 96 (Nokia 3210): receiver temperature
Display 99 (Nokia 7110): FBUS mode and accessory mode
Display 100 (Nokia 7110, 62XX): internal memory usage, overview
Display 102 (Nokia 9210): Type of last data call
Display 103 (Nokia 9210): Type of last MT call
Display 107 (Nokia 62XX): voice dialing function
Display 110-115 (Nokia 7110, Nokia 62XX): internal memory usage, details
Display 130 (Nokia 7110): Open the counter
Display 132 (Nokia 3310): call information
Display 133 (Nokia 3310): Information about the charger
Display 240 (no output): Clear counters and start timers
Display 241 (no output): Disable the NetMonitor menu
Display 242 (no output): Disable R&D field test displays
Access to display 01 secret menu of NetMonitor on Nokia 3310.
Display 17 is the next hidden option in the NetMonitor menu and can be enabled by creating a SIM phonebook entry called “BTS TEST” in position 33 of the contact list, using the cell tower ID number as the contact’s phone number. This can also be done with gnokii using the following phonebook entry:
// Ім'я запису; Cell ID, Location; посада; Ярлик BTS TEST;113;SM;33;5
Display 17 allows a mobile device to be “tethered” to a single cell tower, and when using this feature, no information is transmitted to neighboring cells, but data can still be sent and received without problems. Since IMSI catchers profit by creating fake cell towers and victims connect to them because of stronger signal strength, Display 17 certainly needs further investigation.
SHORT MESSAGE SERVICE (SMS)
An SMS can be sent through a mobile device, a computer or a server and transmitted to a Short Message Service Center (SMSC), which ultimately routes it to its destination. Although the process of sending and receiving SMS seems simple, it involves several roles and routes that define the type of SMS. The short message service consists of two main services:
Short Message Mobile Terminated (SM MT), this service refers to SMS received on the subscriber’s mobile device. In this case, the type of SMS is defined as SMS DELIVERY.
Short Message Mobile Originated (SM MO), this service refers to SMS sent from the subscriber’s mobile device. The type of SMS that this action will result in is defined as SMS-SUBMIT.
There may be cases where a subsequent SMS defined as SMS-STATUS-REPORT is sent by the SMSC to the sending mobile device to confirm that the destination address (DA) has successfully received the SMS.
All outgoing SMS messages sent using NowSMS have been listed in the web admin interface and encoded in Protocol Data Format (PDU) according to the GSM 7-bit standard. This meant that all SMS PDUs could be parsed, discarded, configured and reused.
PDU messages can be sent via USB modem (or compatible phone) using Minicom. Below is an example of how to send an SMS-SUBMIT PDU containing the text “Hello SensePost” using Minicom.
AT+CMGS=27// Довжина октетів (70 символів / 2 - 8 SMSC) > 079144872000626001000C9144573227562000000FC8329BFD064DCBEE7919FA9ED301// Тут необхідно натиснути Ctrl+Z замість ENTER
Below is a table describing each part (octets) of the above payload. SMS PDU decoders are also easily found online – for example https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-submit-pdu-decoder/ . The python SMS PDU module ( pip install smspdu) was also a handy tool for creating the correct payload.
Octet: 07, reference: address length
Octet: 91, TP Field: Address Type, Link: 91 International (81 National)
Octet: International 448720006260 National 7008022660F (F == padding), TP Field: SMSC, Link: International (+447802002606)
Octet: 01, TP field: TP-MTI, link: message type indicator – SMS-SUBMIT (21 SMS-SUBMIT + request report status)
Octet: 00, TP Field: TP-MR, Reference: Message Reference
Octet: 0C, link: address length in half-octets
Octet: 91, TP Field: Address Type, Link: 91 International
Octet: 441122334455, TP Field: TP-DA, Reference: Destination Address (+441122334455)
Octet: 00, TP Field: TP-PID, Reference: Protocol Identifier
Octet: 00, TP Field: TP-DCS, Reference: Data Coding Scheme
Octet: 0F, TP Field: TP-UDL, Reference: User Data Length
Octet: C8329BFD064DCBEE7919FA9ED301, TP Field: TP-UD, Reference: User Data (Hello SensePost)
SMSC can also be omitted (00). In this case, the default will be used. Stored on the SIM card (EFsmsp – SM Service Settings).
Usually, the SMS is automatically saved on the SIM card after receiving from the mobile device. The option to delete or save the SMS is available to the subscriber later. However, the SMS classes can be used to specify where the SMS should be stored.
Class 0: When using this class, the SMS will appear on the recipient’s mobile phone screen and no user intervention is required. This SMS will be automatically deleted after a very short time (default is 5 minutes, but can also be set to 0 seconds, which will result in an invisible SMS) unless the user chooses to save it. To use this class, the Data Coding Scheme (TP-DCS) field must be set to 10.
Class 1: This class indicates that the SMS will be stored in the device memory or on the SIM card. The TP-DCS field must be set to 11.
Class 2: This class is used when the SMS contains SIM card data. For this class, the Data Coding Scheme (TP-DCS) must be set to 12.
Class 3: This class indicates that the SMS will be forwarded to an external device once received. In this case, the TP-DCS field should be set to 13.
Below is a simple Class 0 SMS PDU (no further testing was done on other SMS class types) followed by an example of how to abuse this feature.
AT+CMGS=28 0001000C9144112233445500 10 114676788E064D9B53500B34A7D7E96D
Although the following only works on older phones (mostly Nokia), below is an example of WAP OTA service settings that can also be sent via SMS.
<!-- TP-USER-DATA --> <?xml version="1.0"?> <!DOCTYPE CHARACTERISTIC-LIST SYSTEM "file://c:/settingspush/settings.dtd" > <СПИСОК ХАРАКТЕРИСТИК> <CHARACTERISTIC TYPE="ADDRESS"> <PARM NAME="BEARER" VALUE="GSM/CSD"/> <PARM NAME="PROXY" VALUE="52.85.104.62"/> <PARM NAME="CSD_DIALSTRING" VALUE="+44123456"/> <PARM NAME="PPP_AUTHTYPE" VALUE="PAP"/> <PARM NAME="PPP_AUTHNAME" VALUE="stutm"/> <PARM NAME="PPP_AUTHSERCRET" VALUE="password123"/> <PARM NAME="CSD_CALLTYPE" VALUE="ANALOGUE"/> <PARM NAME="CSD_CALLSPEED" VALUE="AUTO"/> </ХАРАКТЕРИСТИКА> <CHARACTERISTIC TYPE="URL" VALUE=" https://sensepost.com "/> <CHARACTERISTIC TYPE="NAME"> <PARM NAME="NAME" VALUE="SensePost:)"/> </ХАРАКТЕРИСТИКА> <CHARACTERISTIC TYPE="BOOKMARK"> <PARM NAME="NAME" VALUE="Wap"/> <PARM NAME="URL" VALUE=" https://sensepost.com "/> </ХАРАКТЕРИСТИКА> </CHARACTERISTIC-LIST>
// Перше SMS PDU AT+CMGS=155 >0051000C9144571651228900F5A78C0B0504C34FC002000304020101062C1F2A6170706C69636174696F6E2F782D7761702D70726F762E62726F777365722D73657474696E67730081EA01016A0045C60601871245018713110335322E38352E3130342E36320001872111032B343431323334353600018722700187231103737475746D00018724110370617373776F726431323300018728720187
// Другий PDU SMS AT+CMGS=123 >0051000C9144571651228900F5A75D 0B0504C34FC0020003040202296A01018607110368747470733A2F2F73656E7365706F73742E636F6D0001C60801 8715110353656E7365506F73743A29000101C67F0187151103737475746D3 A2900018717110368747470733A2F2F73656E7365706F73742E636F6D00010 101
Setting up the WAP OTA service.
In this post, we’ve covered many aspects related to a SIM card, including physical specifications, internal software, methods of interacting with apps, and testing them on a SIM card. In addition, we discussed information about SMS messages, including how to send custom SMS messages.