Disclaimer: This article is prepared on the basis of information from open sources and is for educational purposes only. Its goal is to help understand the techniques attackers can use so users can better protect themselves. We do not support any illegal activities and encourage you to use this knowledge only to improve your own security.
“The phone numbers of 533 million Facebook users were leaked” is one of the resonant headlines that flooded social networks. The leak, which was originally sold in 2020, was recently made public for free on a hacking forum. It contains mobile phone numbers and many other related information. This news has spawned websites like https://haveibeenzucked.com , where you can check if Facebook’s data leak includes your data.
“What can they do with my phone number? Do I need to change my number? The leak is not serious, they don’t have my Facebook password,” are the thoughts expressed by many unsuspecting victims.
Unfortunately, information leaks have serious implications for user privacy. This data can be used for scam calls, harassment, insurance market research and political action. In this post, I’ll cover SIM-related issues and describe some physical, software, and other attack methods.
In light of the Facebook data leak, we understand that this information could be the basis for a variety of attacks, including:
Social engineering attacks are a popular method of obtaining information through interaction with people. Attackers manipulate victims into revealing confidential information. This is achieved through phone calls or SMS, using psychological manipulation. Number spoofing is often used to make the victim believe the call or message is legitimate.
SMS Redirection Attacks – Some time ago, a hacker named Lucky225 highlighted a carrier issue that allowed someone to receive or access an SMS meant for another person. Not to be confused with SIM replacement or SMS hijacking, this discovery was rather due to a bug on the Sakari platform. Sakari is a merchant company offering SMS forwarding, SMS marketing and bulk messaging services for businesses. Apparently, the lack of two-factor authentication mechanism affecting the Sakari platform allowed Lucky225 to read all SMS messages of the target phone number. Indeed, the attackers could read all the victims’ SMS messages simply by adding their phone numbers to the platform, and with just a few dollars, they could impersonate the owner. Out of curiosity, I tried to create an account at https://sakari.io but it was not possible at the time of publishing this blog. While there may be other similar companies out there, many carriers like AT&T, Verizon, and T-Mobile have already mitigated the loophole. Sakari has also finally implemented a multi-factor authentication/verification solution.
SIM swapping is a method where attackers pretend to be the owners of phone numbers, using fake documents to manipulate mobile operators into transferring rights to a new SIM card. This can lead to account hijacking or illegal financial transactions.
SIM Jacker is a vulnerability announced in 2019 that still affects many SIM cards. The attack involves sending SMS with malicious instructions that attack SIM applications such as S@T Browser, which allows triggering SIM events and performing logical manipulations on the device.
Testing on the real network requires a license and any unsolicited testing is illegal. You need to understand what you are doing before any tests and this blog does not support illegal activities.
A SIM card is actually a small computer that stores and manages various data. These include an authentication key (Ki), a 128-bit value for mobile network authentication, and a unique IMSI number (64-bit) that identifies subscribers on the network. A mobile network consists of one or more cell towers and a base transceiver station (BTS), providing voice and data transmission. The radio signal can reach 8 km, depending on the region.
SIM cards can also contain phone contacts and other user data. Emergency numbers such as 112, 113 and/or 991 are also stored on the SIM card.
So a SIM card is a computer in the pocket of billions of people living in different countries where, depending on the jurisdiction, communications regulators such as Ofcom, the Federal Communications Commission or AGCOM act as the main ones with their own coding and different sets of frequencies.
While phones have gotten bigger and bigger for some reason, SIM cards have shrunk and evolved over time. For example, here’s the size change over the years:
1991/1992 Universal or Full Size SIM Card (53.98 x 85.6mm)
Standard or mini-SIM 1996 (15 x 25 mm)
Micro SIM 2003 (12 x 15 mm)
Nano SIM 2012 (8.8 x 12.3 mm)
Embedded-SIM or eSIM 2016
The contact types of SIM cards may vary depending on the manufacturer’s preferences. However, the assignment of the SIM PIN code is always the same for obvious reasons.
While we’re on the subject of form factor, in the name of “science” I also dissolved the SIM cards in acetone. I don’t have any interesting results yet, but the process is pretty fun.
Removing a clean SIM card chip from an acetone solution.
Finally, each PIN on a SIM card has a specific function, some for power transfer and others for data transfer.
Being more interested in the contents of the SIM rather than its physical aspects, I analyzed the contents of a random SIM using a Gemalto PC Twin Reader PC/SC terminal along with a forensics tool called SIMspy II. After checking the result obtained by this tool, it became clear that the information is stored in the directory structure.
The data on the SUT (SIM Under Test) was organized into a tree hierarchy consisting of three types of files:
Master File (MF)
Elementary Files (EF)
Dedicated Files (DF)
A similar directory structure can be found in smart cards or credit/debit cards. Each card is configured by manufacturers with an output message called ATR (Response to Reset). This message contains information about the card, its communication options and protocols. ATR is used during card activation to determine the supported transport protocol and communication parameters at the start of each card session, such as when accessing a SIM card.
For an example ATR for 3B9F96801FC68031E073F62113675602220080010127, the following listing is a breakdown of some important bytes.
Byte 1: TS = 0x3B – direct connection
Byte 2: T0 = 0x9F – format symbol
Byte 3: TA(1) = 0x96 – interface character
Byte 4: TD(1) = 0x80 – interface symbol (information about the supported protocol)
Byte 5: TD(2) = 0x1F – interface symbol (information about the supported protocol)
Byte 6: TA(3) = 0xC6 – Historical characters (SIM card type (C2 normal SIM + OTA, C3: STK SIM…))
Byte 7: 0x27 – Capabilities of the card
Byte 8: TCK = 0x27 – checksum
The hypothetical top-level directory of the system I was analyzing (SUT) was denoted by a forward slash (/) and known as the master file (MF). It contained subdirectories, otherwise known as Dedicated Files (DF) and Elementary Files (EF), where a large amount of confidential information of mobile network operators (MNOs) and subscribers could be found.
Elementary files can be transparent, linear or cyclic. They are quite simple to understand:
Transparent: A byte string
Linear Fixed-Length: A sequence of records
Linear-Variable Length: A sequence of records, but can also have a variable number of bytes
Cyclic: A “ring” of records that can be overwritten
When ATR 3F00 is received, MF ( ) is automatically selected and becomes the current directory.
We performed various fuzzing attacks on the SUT using an open source security tool called SIMTester, hoping to identify more files, gain more information, and ultimately understand their purpose.
The data stored in the SUT (SIM Application Toolkit) was extracted from identified files using Application Protocol Data Unit (APDU) commands, also known as C-APDU (Command Request APDU). APDU is a command-response protocol used to invoke functions on smart cards or similar devices.
The APDU command structure consists of two parts:
Command – 4-byte header (class, instruction, parameter 1, parameter 2) + data body
Answer – 2-byte (SW1, SW2)
The response can also contain a string of bytes in the response data field. For example, when receiving data from a smart card or similar devices.
Below is a list of possible APDU commands that can be used.
CHOOSE
STATUS
READ THE BINARY COMPILATION REPORT
UPDATE BINARY
READ THE RECORD
UPDATE RECORD
SEARCH
ENLARGE
CHECK ADM
CHECK CHV
CHANGE CHV
CHV OFF
ENABLE CHV
UNLOCK CHV
ANALYZE
REHABILITATE
START GSM ALGORITHM
SLEEP
GET THE ANSWER
These commands were sent using PyAPDUTool, the tool used to communicate with the SIM via the reader, and allowed me to retrieve and update the data stored in the SUT. As an example, the following video shows how to access the main file, then the highlighted file “GSM” ( ) and finally the elementary file “SPN” ( ) from which the string “giffgaff” in hex format can be obtained ( ) .extracted. At the time, SUT was called “Giffgaff” (Giffgaff is a UK-headquartered mobile network). The last two bytes ( ) at the end of the output are the response data (SW1, SW2) indicating that the APDU command completed successfully and without errors.3F00
7F20
6F46
67 69 66 66 67 61 66 66
90 00
Access 3F00/7F20/6F46 files to get SPN from SIM card by sending APDU commands with PyAPDUTool.
Instead, the following video shows you how to update a phonebook entry on a SUT using all the tools I’ve mentioned so far.Note that physical access to the SIM card is required.
Update phonebook entry number 5 by sending APDU commands with PyAPDUTool.
PyAPDUTool provides a useful utility for parsing the response data, specifically a 2-byte trailer defined as SW1 (status byte 1 – command processing status) and SW2 (status byte 2 – command processing qualifier). PyAPDUTool’s SW Lookup utility returns a help message when using valid software trailers, which helped me understand the process better. An “Unknown error” message was returned for an invalid trailer. Below are examples of interpretation of software responses by SW Lookup PyAPDUTool.
Some SIM data can also be controlled using AT commands, also called Attention Commands (a command language originally used for modems, see Hayes command set). A modem is required for this step. Below is an image I usually use:
However, any mobile device (ME) that supports AT commands will also work. However, physical access to the SIM card is required. Some guidelines for checking device compatibility and AT command support are given below.
/* 1. Підключіть телефон до комп’ютера через USB. 2. Відкрийте термінал */ lsusb -v|less
At this stage, I used to establish a connection with the modem Minicom:
Run it:
1. Відкрийте термінал minicom -D /dev/ttyACM0
Minicom commands can be invoked by pressing CTRL+A <key>.
Click:
/* Open Minicom Helper */ CTRL+AZ /* Увімкніть/ВИМКніть відлуння (повторіть цей крок двічі, якщо бачите подвійне введення) */ E
Below are some examples of AT commands to retrieve information from a SIM card:
// Temporary Mobile Subscriber Identity (TMSI) // // //Only first 8 characters (4 bytes) AT+CRSM=176,28448,0,0,11 // Ciphering key KcRemove last two characters (1 byte) AT+CRSM=176,28448,0,0,9 // ARFCNThe second value AT+KCELL=0