Pages

Monday, December 29, 2014

4G Security: Hacking USB Modem and SIM Card via SMS


Telecommunications operators are pushing fast and cheap 4G communications technology. Yet only the chosen few know just how insecure it is. While researching the security level of 4G communications, Positive Technologies experts managed to uncover USB modem vulnerabilities that allow a potential attacker to gain full control of the connected computer as well as to access a subscriber account on a mobile operator portal. Additionally, attacks on a SIM card using a binary SMS allow an intruder to sniff and decrypt traffic or lock the SIM.

The team presented their reports on the topic at the PacSec 2014 (Tokyo) and the 31C3 (Hamburg). In this article, we will give you the digest of this research conducted by Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov, and Pavel Novikov.

First, we would like to say a couple of words about the main purpose of the research. It is not only the matter of security for trendy smartphones that we use to read news feed in social networks. Multiple critical infrastructures including industrial control systems (SCADA) also implement digital mobile communication based on the GSM standard. Another example from everyday life is having your money stolen from bank accounts. No one would like to become a victim of that. Yet you might have seen small antenna on ATMs. Yes, it is also GSM.


A modern wireless modem is a computer that uses a well-known OS (usually Linux or Android) and a number of multifunctional applications. The software and data transfer protocols contain some vulnerabilities that attackers have successfully exploited in the last several years, say, to unlock a modem or to unbind it from the operator. To solve the problem in one blow, many services got transferred to the web. Yet it resulted in even more vulnerabilities.

For the research purposes, we used 6 different series of USB modems with 30 different firmware versions. Only 3 firmwares proved to be hack-resistant.

What did we manage to do to the rest of them? First, we identified the gear. The documentation and search engines helped us with that. In some cases Google was even more useful: it gave us the password for Telnet access.


However, for external communications we need http, not Telnet. Just connect the modem to a computer and manage it as a separate network node with web applications. It gives you the opportunity to launch an attack via a browser (CSRF, XSS, RCE). This way you will force the modem to give out a lot of useful information about itself.



 Besides obtaining data, we may use the modem to do the following:
  • change DNS settings (to sniff traffic),
  • change SMS center settings (to intercept and interfere with SMS),
  • change the password on the self-service portal by sending an SMS (to transfer money by subscribing to a third-party service),
  • lock the modem by deliberately entering wrong PIN or PUK codes,
  • remotely "update" the modem's firmware to a vulnerable version.
You may advance your attack even further by accessing the computer connected to the hacked modem. One way to do it is to install a USB keyboard driver, which causes the computer to identify the modem as an input device. Use this pseudo keyboard to issue the command to reboot the system from an external disk, aka the very same modem. Then all that is left to do is to install a bootkit that allows you to remotely control the device. You may check out the video for visual evidence:


The best countermeasure any ordinary user should take is stop inserting this and that into your USB ports. By "this and that" we also mean innocent-looking USB modems that appear to be such small and harmless communication devices.

We dedicated the second part of our research to SIM cards. The fact that a SIM card is a computer with an OS, file system, and multifunctional applications was proven long ago. As the German cryptographer Karsten Nohl demonstrated at the Positive Hack Days conference, SIM applications (TARs) are protected in different ways. Some you may hack by brute-forcing DES keys. Some respond to an external command without any protection whatsoever and may give out a lot of sensitive information.

To brute-force DES keys, we use a set of field-programmable gate arrays (FPGA), which became trendy for Bitcoin mining a couple of years ago and got cheaper after the hype was over. The speed of our 8 modules *ZTEX 1.15y board with the price tag of 2,000 Euro is 245.760 Mcrypt/sec. It is enough to obtain the key within 3 days.



Then we may easily issue commands to well-known TARs and manage them; e.g. Card Manager allows installing a Java application to the SIM.

Another curious TAR is a file system that stores TMSI (Temporary Mobile Subscriber Identity) and Kc (Ciphering Key). We may perform the following actions via a binary SMS:

  • decrypt subscriber traffic without using brute force attacks on DES,
  • spoof a subscriber's identity (receive his/her calls and SMS),
  • track a subscriber's whereabouts,
  • cause DOS by entering 3 wrong PIN codes and 10 wrong PUK codes in a row if PIN code is enabled for file system protection.

It’s worth to note that the attack described above could successfully circumvent not only A5/1 (the most commonly used cellphone encryption algorithm for 2G networks), but also the stronger versions of encryption used in 3G and 4G.

In conclusion, let us look at basic statistics. We used more than 100 SIM cards of different origin for the research, around 20% of those have vulnerabilities mentioned earlier, which means every fifth SIM card is flawed.

Even so, it is hard to give any security advice to end users. These attacks are mostly targeting basic technological level vulnerabilities, and it is manufactures and telcos' task to fix them. The world press has already described this research as "SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems".

20 comments:

  1. This is extremely old stuff. 4g modems are similar to routers hack, just guessing the password by manual search. Also SIMs are using AES256. There is NO carrier on the world using DES, only in the authors mind of this article. Please post real information

    ReplyDelete
    Replies
    1. NO

      1. Password for modem gives your nothing
      2. SIMs ARE uses DES/3DES for OTA auth and even 64bit keys for A5/3

      Please check the slides before.

      Delete
    2. It's just telling your story."
      Business Insider asked Carson's team if the potential candidate would take a selfie for this article.
      His spokesman said Carson would "take it under advisement." If you want to buy it please visit.
      .................................
      Selfie Monopod Stick

      Delete
    3. The efficiency is 91%, internal integration MOSFET, only 12 milliohm conduction resistance, the highest discharge current support to 9 A. These specifications are far higher than the current 2A charge and discharge applications. In addition, this IC win almost everything lithium-ion batteries, the voltage of 3.5 V to 3.5 V is controllable, and even less commonly used 3.6 V lithium iron phosphate are supported. To know more please visit
      ................................................................................................................................................
      [url=http://www.feyeshoppy.com/10000mah-power-bank] 10000mah Power Bank [/url]

      Delete
  2. I can make some similar but technologies CDMA.
    I can clon complete line in other phone.
    Verizon sprint Iusacell metro was affected :)

    ReplyDelete
    Replies
    1. Know more please visit
      ................................................................................................................................................
      Mobile Back Cover

      Delete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. The tempered glass is made up of the tempered glass, a multilayer protection glass that protects your mobile from the scratches, dust, debris, sharp objects like knives and even if it accidentally falls down. For more .................................................................................................................
    Tempered Screen glass protectors

    ReplyDelete
  6. The datacard plugs into the PepWave (or 3G store may sell you a USB extension cable that lets you put the datacard farther from the PepWave router for better signal).
    So, to recap where we are so far in our discussion, we've got an external antenna connected to a PepWave router - which boosts campground WiFi, and we have datacards we can plug into the PepWave router for when we don't have campground WiFi. For more visit
    ..............................................................................................................................................
    DATA CARD ANTENNA

    ReplyDelete
  7. Too Stressed ??
    Money can bring the "Peace" in your "soul"!!
    Your life can 'Recover'!!
    Get this 100% free method, Which will earn money for you by using PayPal Hack tool and earn UP TO 500$ ADDING EVERY 5 HOURS.TOTALLY UNTRACEABLE!!!!!!!!!!!!!!!!!!!!!!
    So Download the Tool......
    Paypal Account Hack
    Paypal Money Adder
    Paypal Money Generate
    Paypal Money Hack

    ReplyDelete
  8. Is your little or medium business passing up a major opportunity for offering items or administrations online? E-trade is a potential goldmine for your business, and can now rapidly and effectively be manufactured and kept up.woocommerce plugin wordpress

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. http://goo.gl/m9Ilzy provides free downloads for Windows, Mac, iOS and Android computers and mobile devices. Every category of desktop software

    ReplyDelete