December 29, 2014

4G Security: Hacking USB Modem and SIM Card via SMS


Telecommunications operators are pushing fast and cheap 4G communications technology. Yet only the chosen few know just how insecure it is. While researching the security level of 4G communications, Positive Technologies experts managed to uncover USB modem vulnerabilities that allow a potential attacker to gain full control of the connected computer as well as to access a subscriber account on a mobile operator portal. Additionally, attacks on a SIM card using a binary SMS allow an intruder to sniff and decrypt traffic or lock the SIM.

The team presented their reports on the topic at the PacSec 2014 (Tokyo) and the 31C3 (Hamburg). In this article, we will give you the digest of this research conducted by Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov, and Pavel Novikov.

First, we would like to say a couple of words about the main purpose of the research. It is not only the matter of security for trendy smartphones that we use to read news feed in social networks. Multiple critical infrastructures including industrial control systems (SCADA) also implement digital mobile communication based on the GSM standard. Another example from everyday life is having your money stolen from bank accounts. No one would like to become a victim of that. Yet you might have seen small antenna on ATMs. Yes, it is also GSM.


A modern wireless modem is a computer that uses a well-known OS (usually Linux or Android) and a number of multifunctional applications. The software and data transfer protocols contain some vulnerabilities that attackers have successfully exploited in the last several years, say, to unlock a modem or to unbind it from the operator. To solve the problem in one blow, many services got transferred to the web. Yet it resulted in even more vulnerabilities.

For the research purposes, we used 6 different series of USB modems with 30 different firmware versions. Only 3 firmwares proved to be hack-resistant.

What did we manage to do to the rest of them? First, we identified the gear. The documentation and search engines helped us with that. In some cases Google was even more useful: it gave us the password for Telnet access.


However, for external communications we need http, not Telnet. Just connect the modem to a computer and manage it as a separate network node with web applications. It gives you the opportunity to launch an attack via a browser (CSRF, XSS, RCE). This way you will force the modem to give out a lot of useful information about itself.



 Besides obtaining data, we may use the modem to do the following:
  • change DNS settings (to sniff traffic),
  • change SMS center settings (to intercept and interfere with SMS),
  • change the password on the self-service portal by sending an SMS (to transfer money by subscribing to a third-party service),
  • lock the modem by deliberately entering wrong PIN or PUK codes,
  • remotely "update" the modem's firmware to a vulnerable version.
You may advance your attack even further by accessing the computer connected to the hacked modem. One way to do it is to install a USB keyboard driver, which causes the computer to identify the modem as an input device. Use this pseudo keyboard to issue the command to reboot the system from an external disk, aka the very same modem. Then all that is left to do is to install a bootkit that allows you to remotely control the device. You may check out the video for visual evidence:


The best countermeasure any ordinary user should take is stop inserting this and that into your USB ports. By "this and that" we also mean innocent-looking USB modems that appear to be such small and harmless communication devices.

We dedicated the second part of our research to SIM cards. The fact that a SIM card is a computer with an OS, file system, and multifunctional applications was proven long ago. As the German cryptographer Karsten Nohl demonstrated at the Positive Hack Days conference, SIM applications (TARs) are protected in different ways. Some you may hack by brute-forcing DES keys. Some respond to an external command without any protection whatsoever and may give out a lot of sensitive information.

To brute-force DES keys, we use a set of field-programmable gate arrays (FPGA), which became trendy for Bitcoin mining a couple of years ago and got cheaper after the hype was over. The speed of our 8 modules *ZTEX 1.15y board with the price tag of 2,000 Euro is 245.760 Mcrypt/sec. It is enough to obtain the key within 3 days.



Then we may easily issue commands to well-known TARs and manage them; e.g. Card Manager allows installing a Java application to the SIM.

Another curious TAR is a file system that stores TMSI (Temporary Mobile Subscriber Identity) and Kc (Ciphering Key). We may perform the following actions via a binary SMS:

  • decrypt subscriber traffic without using brute force attacks on DES,
  • spoof a subscriber's identity (receive his/her calls and SMS),
  • track a subscriber's whereabouts,
  • cause DOS by entering 3 wrong PIN codes and 10 wrong PUK codes in a row if PIN code is enabled for file system protection.

It’s worth to note that the attack described above could successfully circumvent not only A5/1 (the most commonly used cellphone encryption algorithm for 2G networks), but also the stronger versions of encryption used in 3G and 4G.

In conclusion, let us look at basic statistics. We used more than 100 SIM cards of different origin for the research, around 20% of those have vulnerabilities mentioned earlier, which means every fifth SIM card is flawed.

Even so, it is hard to give any security advice to end users. These attacks are mostly targeting basic technological level vulnerabilities, and it is manufactures and telcos' task to fix them. The world press has already described this research as "SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems".

25 comments:

  1. This is extremely old stuff. 4g modems are similar to routers hack, just guessing the password by manual search. Also SIMs are using AES256. There is NO carrier on the world using DES, only in the authors mind of this article. Please post real information

    ReplyDelete
    Replies
    1. NO

      1. Password for modem gives your nothing
      2. SIMs ARE uses DES/3DES for OTA auth and even 64bit keys for A5/3

      Please check the slides before.

      Delete
    2. This comment has been removed by a blog administrator.

      Delete
    3. This comment has been removed by a blog administrator.

      Delete
  2. I can make some similar but technologies CDMA.
    I can clon complete line in other phone.
    Verizon sprint Iusacell metro was affected :)

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete