How do criminals steal your numbers and what is SIM hijacking? (Part 1)

19 June 2024 11 minutes Author: Cyber Witcher
The article will discuss the threats of SIM hijacking, including the methods used by criminals to steal mobile numbers. The consequences of such attacks for users will be described, including possible financial losses and compromise of personal data. The article will also provide advice on how to protect against SIM hijacking, including security recommendations from mobile operators and ways to minimize risks. Readers will learn how to spot suspicious activity and what to do in the event of an attack.

Disclaimer: This article is prepared on the basis of information from open sources and is for educational purposes only. Its goal is to help understand the techniques attackers can use so users can better protect themselves. We do not support any illegal activities and encourage you to use this knowledge only to improve your own security.

Let’s start

“The phone numbers of 533 million Facebook users were leaked” is one of the resonant headlines that flooded social networks. The leak, which was originally sold in 2020, was recently made public for free on a hacking forum. It contains mobile phone numbers and many other related information. This news has spawned websites like https://haveibeenzucked.com , where you can check if Facebook’s data leak includes your data.

“What can they do with my phone number? Do I need to change my number? The leak is not serious, they don’t have my Facebook password,” are the thoughts expressed by many unsuspecting victims.

Unfortunately, information leaks have serious implications for user privacy. This data can be used for scam calls, harassment, insurance market research and political action. In this post, I’ll cover SIM-related issues and describe some physical, software, and other attack methods.

Attacks using only a phone number

In light of the Facebook data leak, we understand that this information could be the basis for a variety of attacks, including:

Social engineering attacks are a popular method of obtaining information through interaction with people. Attackers manipulate victims into revealing confidential information. This is achieved through phone calls or SMS, using psychological manipulation. Number spoofing is often used to make the victim believe the call or message is legitimate.

SMS Redirection Attacks – Some time ago, a hacker named Lucky225 highlighted a carrier issue that allowed someone to receive or access an SMS meant for another person. Not to be confused with SIM replacement or SMS hijacking, this discovery was rather due to a bug on the Sakari platform. Sakari is a merchant company offering SMS forwarding, SMS marketing and bulk messaging services for businesses. Apparently, the lack of two-factor authentication mechanism affecting the Sakari platform allowed Lucky225 to read all SMS messages of the target phone number. Indeed, the attackers could read all the victims’ SMS messages simply by adding their phone numbers to the platform, and with just a few dollars, they could impersonate the owner. Out of curiosity, I tried to create an account at https://sakari.io but it was not possible at the time of publishing this blog. While there may be other similar companies out there, many carriers like AT&T, Verizon, and T-Mobile have already mitigated the loophole. Sakari has also finally implemented a multi-factor authentication/verification solution.

SIM swapping is a method where attackers pretend to be the owners of phone numbers, using fake documents to manipulate mobile operators into transferring rights to a new SIM card. This can lead to account hijacking or illegal financial transactions.

SIM Jacker is a vulnerability announced in 2019 that still affects many SIM cards. The attack involves sending SMS with malicious instructions that attack SIM applications such as S@T Browser, which allows triggering SIM events and performing logical manipulations on the device.

Testing on the real network requires a license and any unsolicited testing is illegal. You need to understand what you are doing before any tests and this blog does not support illegal activities.

Subscriber Identity Module (SIM)

A SIM card (subscriber identity module), also known as a UICC (universal integrated circuit card), is a small computer that provides fast and efficient wireless communication between subscribers around the world, despite its size. The graphic below shows the number of SIM cards currently in use based on worldwide smartphone sales.

Smartphones sold worldwide from 2007 to 2021

A SIM card is actually a small computer that stores and manages various data. These include an authentication key (Ki), a 128-bit value for mobile network authentication, and a unique IMSI number (64-bit) that identifies subscribers on the network. A mobile network consists of one or more cell towers and a base transceiver station (BTS), providing voice and data transmission. The radio signal can reach 8 km, depending on the region.

GSM antenna, Great Britain.
GSM antenna, Italy.

SIM cards can also contain phone contacts and other user data. Emergency numbers such as 112, 113 and/or 991 are also stored on the SIM card.

Emergency numbers stored in SUT.

So a SIM card is a computer in the pocket of billions of people living in different countries where, depending on the jurisdiction, communications regulators such as Ofcom, the Federal Communications Commission or AGCOM act as the main ones with their own coding and different sets of frequencies.

While phones have gotten bigger and bigger for some reason, SIM cards have shrunk and evolved over time. For example, here’s the size change over the years:

  • 1991/1992 Universal or Full Size SIM Card (53.98 x 85.6mm)

  • Standard or mini-SIM 1996 (15 x 25 mm)

  • Micro SIM 2003 (12 x 15 mm)

  • Nano SIM 2012 (8.8 x 12.3 mm)

  • Embedded-SIM or eSIM 2016

Types of verified SIM cards.

The contact types of SIM cards may vary depending on the manufacturer’s preferences. However, the assignment of the SIM PIN code is always the same for obvious reasons.

SIM card PIN assignment.

While we’re on the subject of form factor, in the name of “science” I also dissolved the SIM cards in acetone. I don’t have any interesting results yet, but the process is pretty fun.

The plastic part of the SIM card started to dissolve after a few minutes.

Removing a clean SIM card chip from an acetone solution.

X-ray image of the SIM card showing the chip and connection

Finally, each PIN on a SIM card has a specific function, some for power transfer and others for data transfer.

Being more interested in the contents of the SIM rather than its physical aspects, I analyzed the contents of a random SIM using a Gemalto PC Twin Reader PC/SC terminal along with a forensics tool called SIMspy II. After checking the result obtained by this tool, it became clear that the information is stored in the directory structure.

The SUT (SIM Under Testing) directory structure was determined using SIMspy II.
Encryption key (Kc) and other information obtained from the SUT by SIMspy II.

The data on the SUT (SIM Under Test) was organized into a tree hierarchy consisting of three types of files:

  • Master File (MF)

  • Elementary Files (EF)

  • Dedicated Files (DF)

A similar directory structure can be found in smart cards or credit/debit cards. Each card is configured by manufacturers with an output message called ATR (Response to Reset). This message contains information about the card, its communication options and protocols. ATR is used during card activation to determine the supported transport protocol and communication parameters at the start of each card session, such as when accessing a SIM card.

For an example ATR for 3B9F96801FC68031E073F62113675602220080010127, the following listing is a breakdown of some important bytes.

  • Byte 1: TS = 0x3B – direct connection

  • Byte 2: T0 = 0x9F – format symbol

  • Byte 3: TA(1) = 0x96 – interface character

  • Byte 4: TD(1) = 0x80 – interface symbol (information about the supported protocol)

  • Byte 5: TD(2) = 0x1F – interface symbol (information about the supported protocol)

  • Byte 6: TA(3) = 0xC6 – Historical characters (SIM card type (C2 normal SIM + OTA, C3: STK SIM…))

  • Byte 7: 0x27 – Capabilities of the card

  • Byte 8: TCK = 0x27 – checksum

The hypothetical top-level directory of the system I was analyzing (SUT) was denoted by a forward slash (/) and known as the master file (MF). It contained subdirectories, otherwise known as Dedicated Files (DF) and Elementary Files (EF), where a large amount of confidential information of mobile network operators (MNOs) and subscribers could be found.

Elementary files can be transparent, linear or cyclic. They are quite simple to understand:

  • Transparent: A byte string

  • Linear Fixed-Length: A sequence of records

  • Linear-Variable Length: A sequence of records, but can also have a variable number of bytes

  • Cyclic: A “ring” of records that can be overwritten

When ATR 3F00 is received, MF ( ) is automatically selected and becomes the current directory.

The tree-like structure of the SIM card.

We performed various fuzzing attacks on the SUT using an open source security tool called SIMTester, hoping to identify more files, gain more information, and ultimately understand their purpose.

An example of some of the files (and their relative paths) identified in SUT by SIMTester.

The data stored in the SUT (SIM Application Toolkit) was extracted from identified files using Application Protocol Data Unit (APDU) commands, also known as C-APDU (Command Request APDU). APDU is a command-response protocol used to invoke functions on smart cards or similar devices.

The APDU command structure consists of two parts:

  • Command – 4-byte header (class, instruction, parameter 1, parameter 2) + data body

  • Answer – 2-byte (SW1, SW2)

The response can also contain a string of bytes in the response data field. For example, when receiving data from a smart card or similar devices.

Below is a list of possible APDU commands that can be used.

  • CHOOSE

  • STATUS

  • READ THE BINARY COMPILATION REPORT

  • UPDATE BINARY

  • READ THE RECORD

  • UPDATE RECORD

  • SEARCH

  • ENLARGE

  • CHECK ADM

  • CHECK CHV

  • CHANGE CHV

  • CHV OFF

  • ENABLE CHV

  • UNLOCK CHV

  • ANALYZE

  • REHABILITATE

  • START GSM ALGORITHM

  • SLEEP

  • GET THE ANSWER

These commands were sent using PyAPDUTool, the tool used to communicate with the SIM via the reader, and allowed me to retrieve and update the data stored in the SUT. As an example, the following video shows how to access the main file, then the highlighted file “GSM” ( ) and finally the elementary file “SPN” ( ) from which the string “giffgaff” in hex format can be obtained ( ) .extracted. At the time, SUT was called “Giffgaff” (Giffgaff is a UK-headquartered mobile network). The last two bytes ( ) at the end of the output are the response data (SW1, SW2) indicating that the APDU command completed successfully and without errors.3F007F206F4667 69 66 66 67 61 66 6690 00

Access 3F00/7F20/6F46 files to get SPN from SIM card by sending APDU commands with PyAPDUTool.

Instead, the following video shows you how to update a phonebook entry on a SUT using all the tools I’ve mentioned so far.Note that physical access to the SIM card is required.

Update phonebook entry number 5 by sending APDU commands with PyAPDUTool.

PyAPDUTool provides a useful utility for parsing the response data, specifically a 2-byte trailer defined as SW1 (status byte 1 – command processing status) and SW2 (status byte 2 – command processing qualifier). PyAPDUTool’s SW Lookup utility returns a help message when using valid software trailers, which helped me understand the process better. An “Unknown error” message was returned for an invalid trailer. Below are examples of interpretation of software responses by SW Lookup PyAPDUTool.

The SW Lookup utility PyAPDUTool confirmed the correct execution of the APDU command.
An example of parsing an APDU response using the SW Lookup utility PyAPDUTool.
An example of the help message returned by PyAPDUTool’s software search for an invalid software trace.

AT commands

Some SIM data can also be controlled using AT commands, also called Attention Commands (a command language originally used for modems, see Hayes command set). A modem is required for this step. Below is an image I usually use:

Arduino 2009 + Hilo Sagem or one of two USB modems (Tigo, TIM).

However, any mobile device (ME) that supports AT commands will also work. However, physical access to the SIM card is required. Some guidelines for checking device compatibility and AT command support are given below.

/*
1. Підключіть телефон до комп’ютера через USB.
2. Відкрийте термінал
*/
lsusb -v|less
Based on the results of the lsusb command, my Samsung S6 supported AT commands.

At this stage, I used to establish a connection with the modem Minicom:

Run it:

1. Відкрийте термінал
minicom -D /dev/ttyACM0

Minicom commands can be invoked by pressing CTRL+A <key>.

Click:

/* Open Minicom Helper */
CTRL+AZ

/* Увімкніть/ВИМКніть відлуння (повторіть цей крок двічі, якщо бачите подвійне введення) */
E

Below are some examples of AT commands to retrieve information from a SIM card:

// Temporary Mobile Subscriber Identity (TMSI)
// 
// 
//Only first 8 characters (4 bytes)
AT+CRSM=176,28448,0,0,11

// Ciphering key KcRemove last two characters (1 byte)
AT+CRSM=176,28448,0,0,9

// ARFCNThe second value
AT+KCELL=0
TMSI & Kc retrieved from SIM using Minicom on Samsung S6.

The information was taken from Sensepost’s open sources

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.