simtrace2: remove SAT/USAT/CAT slides as they don't apply here
This commit is contained in:
parent
08929bcc98
commit
798157862d
|
@ -228,183 +228,3 @@ determined by authentication using a shared secret, called 'PIN'.
|
|||
\includegraphics[width=110mm]{isim-dir-struct.png}
|
||||
\end{figure}
|
||||
\end{frame}
|
||||
|
||||
\subsection{SIM Application Toolkit (SAT)}
|
||||
|
||||
\begin{frame}{SIM Application Toolkit (SAT)}
|
||||
\begin{itemize}
|
||||
\item Ability for card to run applications that have UI on the phone
|
||||
\begin{itemize}
|
||||
\item Display menu items on-screen
|
||||
\item Get user input from keypad/touch-screen
|
||||
\end{itemize}
|
||||
\item Original Version Described in TS 11.14 and 11.11
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT -- Proactive SIM}
|
||||
The {\em Proactive SIM} features
|
||||
\begin{itemize}
|
||||
\item Sending a short message
|
||||
\item Setting up a voice call
|
||||
\item Playback of a tone in earpiece
|
||||
\item Providing location information from ME to SIM
|
||||
\item Have ME execute timers on behalf of SIM
|
||||
\item Sending DTMF to network
|
||||
\item Running an AT command received from SIM, sending result back to SIM
|
||||
\item Ask ME to launch browser to SIM-provided URL
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT -- Call and SMS Control}
|
||||
\begin{itemize}
|
||||
\item ME passes MO call setup attempts to SIM for approval
|
||||
\item SIM can then
|
||||
\begin{itemize}
|
||||
\item approve or decline the MO call
|
||||
\item modify the call details such as phone number
|
||||
\item replace the call with USSD message
|
||||
\end{itemize}
|
||||
\item ME passes USSD requests similar to Call Control
|
||||
\item Similar mechanism exists for all MO SMS
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT -- Provide local information}
|
||||
The SIM can inquire the ME about
|
||||
\begin{itemize}
|
||||
\item MCC / MNC / LAC / Cell ID
|
||||
\item IMEI of ME
|
||||
\item Network Measurement Results
|
||||
\item BCCH channel list
|
||||
\item Date, Time, Timezone
|
||||
\item ME language setting
|
||||
\item Timing Advance
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT -- Event download}
|
||||
The SIM is notified by ME about certain events such as
|
||||
\begin{itemize}
|
||||
\item Call Connected / Disconnected
|
||||
\item Location Status (Location Area change)
|
||||
\item User activity (keyboard input)
|
||||
\item Idle screen available
|
||||
\item Browser termination
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT - Data download}
|
||||
\begin{itemize}
|
||||
\item Enables Operator to exchange arbitrary data with the SIM
|
||||
\item Could be RFM (Remote File Management)
|
||||
\begin{itemize}
|
||||
\item Read or modify phone book entries
|
||||
\item Even change the IMSI of the SIM (!)
|
||||
\end{itemize}
|
||||
\item In case of Java Card, can be download of card applets
|
||||
\begin{itemize}
|
||||
\item Applets are stored permanently on SIM
|
||||
\item Can later use SAT procedures to interact with ME
|
||||
\item TS 03.19 specifies Java API to access SAT from Java RE
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT - Data download}
|
||||
SAT Data Download can happen via
|
||||
\begin{itemize}
|
||||
\item via SMS or Cell Broadcast
|
||||
\begin{itemize}
|
||||
\item Uses TS 03.40 TP-PID {\em SIM DATA Download}
|
||||
\item ME forwards such SMS to the SIM in {\tt ENVELOPE} APDU
|
||||
\item Response from SIM is sent back as MO-SMS or DELIVERY REPORT
|
||||
\end{itemize}
|
||||
\item via BIP (Bearer Independent Protocol)
|
||||
\begin{itemize}
|
||||
\item Dedicated CSD call between network and SIM
|
||||
\item GPRS session between network and SIM
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SAT - Data download}{Data download security}
|
||||
\begin{itemize}
|
||||
\item GSM TS 03.48 specifies secure messaging for data download
|
||||
\item Includes replay protection
|
||||
\item Supports DES and 3DES
|
||||
\item SMS chaining for long commands / large data
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\subsection{SIM threat model}
|
||||
\begin{frame}{SIM card abuse by hostile operator}
|
||||
\begin{itemize}
|
||||
\item Even if the phone might be considered trusted, the SIM card is owned and controlled by the operator
|
||||
\item Using SAT features, the operator can control many aspects of the phone
|
||||
\item Examples
|
||||
\begin{itemize}
|
||||
\item Remotely reading address book / stored SMS
|
||||
\item Monitor user behavior (browser termination, idle screen, ...)
|
||||
\item Ask phone to establish packet data session
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SIM card re-programming by attacker}
|
||||
\begin{itemize}
|
||||
\item If the SIM is not properly secured (auth + encryption keys, ...) a third party attacker can send SAT envelope SMS to the card and install resident Java applets
|
||||
\item The attacker can then
|
||||
\begin{itemize}
|
||||
\item Obtain detailed location information and send it via SMS
|
||||
\item Intercept/log outgoing calls
|
||||
\item Sending copies of incoming + outgoing SMS elsewhere
|
||||
\end{itemize}
|
||||
\item Even using SIM card channel to exploit baseband stack is feasible
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{SIM card proxy / MITM by attacker}
|
||||
As soon as an attacker has temporary physical access to a phone, he can
|
||||
\begin{itemize}
|
||||
\item Insert a proxy-SIM between real SIM and phone
|
||||
\item Do everything a Java applet could do, but even with a securely configured SIM as he does not modify the existing SIM
|
||||
\item Sniff current Kc and send it out e.g. via SMS or even UDP/TCP packets over GPRS
|
||||
\item ... by only using standard interfaces that are common among all phones (as opposed to baseband software hacking which is very model-specific)
|
||||
\end{itemize}
|
||||
Most users would never notice this as they rarely check their SIM slot
|
||||
\end{frame}
|
||||
|
||||
%%%%%%
|
||||
\subsection{SIM attacks countermeasures}
|
||||
|
||||
\begin{frame}{Defending against SIM based attacks}
|
||||
\begin{itemize}
|
||||
\item SIM cards are Operator issued, Ki is on the SIM
|
||||
\begin{itemize}
|
||||
\item SIM card can thus not be replaced, but original SIM must be used
|
||||
\end{itemize}
|
||||
\item Configure telephone to not store contacts or SMS on SIM
|
||||
\item Communication between SIM and ME is not encrypted/authenticated
|
||||
\item Solution: Proxy SIM between SIM and ME to break STK / OTA
|
||||
\begin{itemize}
|
||||
\item Filter all STK/OTA/Proactive commands like ENVELOPE
|
||||
\item Indicate lack of STK support to ME (EF.Phase)
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}{Proxy SIM with firewall}
|
||||
\begin{itemize}
|
||||
\item There are no known commercial products that implement STK/OTA filtering
|
||||
\item But there are a number of shim SIM cards that are plugged between SIM and SIM slot
|
||||
\item Most of them are used for SIM unlocking modern phones
|
||||
\item Some vendors produce freely (re)programmable proxy SIMs:
|
||||
\end{itemize}
|
||||
\begin{figure}[h]
|
||||
\subfigure{\includegraphics[width=40mm]{bladox-turbosim.jpg}}
|
||||
\subfigure{\includegraphics[width=25mm]{rebelsim2.jpg}}
|
||||
\caption{Bladox TurboSIM (AVR) and RebelSIM II (8051)}
|
||||
%\caption{Bladox Turbo SIM (AVR)}}
|
||||
\end{figure}
|
||||
\end{frame}
|
||||
|
|
Loading…
Reference in New Issue