A few months back, the team from AdaptiveMobile Security published their research about a wide spread SIM vulnerability deemed as SIM Jacker, even though they did not provide many details about the technical steps for reproducing this vulnerability, there was a technical paper that can be found here.
Now, to be fair, they are not the first ones to point out these kind of vulnerabilities within SIMs, the team from Security Research Labs have been working on these kind of vulnerabilities for a long time, as they have pointed out in their article post New SIM attacks de-mystified, protection tools now available; they have even published an amazing tool called SIM Tester, which can be used to fuzz a SIM card through a PCSC-enabled smart card reader to find whether or not it is vulnerable to certain attacks (SIM-Jacker included); —we will work with this tool in a future post.
With that out of the way, we need to first start by understanding the basics of SIMs and SMS messages. A Subscriber Identity Module (or SIM) is mostly used to identify the user to a specific mobile network, you can think of it as an small independent computer that you plug into your phone which enables you to use the mobile network provider’s services (such as making calls and sending short messages).
The Short Message Service (or SMS) is mostly used for, well, sending short text messages from one subscriber to another through the SMS Center (SMSC); which is the part of the provider’s infrastructure that relays messages from/to subscribers.
There are two kinds of SMS messages:
1) Text-based short messages
These are the usual text messages that are sent from one subscriber to another, for instance, when you use the default text message application on your phone to send an SMS text message to a friend.
2) APDU messages
Application Protocol Data Unit (or APDU) messages, on the other hand, are way more compelling, since they can be used to construct both small simple text messages or big complex binary messages —these are the ones we are interested in for exploiting SIM Jacker.
APDU messages are encoded in hexadecimal format and can be sent to a subscriber, for instance, via an USB modem. The process of sending these messages, at a very high level, looks like the following:
In fact, for the purpose of reproducing the SIM Jacker vulnerability, we will be using an USB modem for sending APDU messages to a vulnerable SIM card within a mobile device, however, before diving into that, we need to understand the concepts of SMS-Submit and SMS-Deliver (as depicted in the previous image).
SMS-Submit
The SMS-Submit is used to convey (submit) a message from the sending device (USB modem in this case) to the SMS Center (SMSC). In the above model, the SMS-Submit is sent through the USB modem following the next format:
Service Center Address (SCA): It contains the length, type and address of the Service Center Address, if set to 0x00, the default SCA will be used.
First Octet (FO): The bits of the first octet are coded as follows:
Message Reference (MR): Used for mailing to instant message, it may be set to 0x00.
Destination Address (DA): The address the message will be sent to. It contains the length, type and address of the recipient’s address.
Protocol Identifier (PID): The protocol on which data is sent, 0x00 is the default value for text messages.
Data Coding Scheme (DCS): Indicates the coding of the data sent in the message, 0x00 is a 7 bit character encoding (Class 0 = Text Message).
User Data Length (UDL): The length of the user data.
User Data (UD): The actual user data.
SMS-Deliver
The SMS-Deliver is used to convey (deliver) a message from the SMSC to the receiving mobile device. The SMS-Deliver is created from the SMS-Submit message and follows the next format (bolded fields in the image below are copied into the SMS-Deliver directly from the SMS-Submit):
Service Center Address (SCA): The address of the Service Center. Copied as it is from SMS-Submit.
First Octet (FO): The bits of the first octet are coded as follows:
Originator Address (OA): The address the message sender.
Protocol Identifier (PID): The protocol on which data is sent. Copied as it is from SMS-Submit.
Data Coding Scheme (DCS): Indicates the coding of the data sent in the message. Copied as it is from SMS-Submit.
Service Center Time Stamp (SCTS): Unique time stamp of the message set by the Service Center.
User Data Length (UDL): The length of the user data. Copied as it is from SMS-Submit.
User Data (UD): The actual user data. Copied as it is from SMS-Submit.
Sending an APDU message
Let’s take the following APDU message as an example:
0001000B910516325476F800000BE8329BFD06DDDF723619
Which translates to:
Connecting the USB Modem
As mentioned before, in order to send the APDU message we will be using an USB modem (with a SIM Card inserted) like the following:
Switching to HSDPA Modem mode
After connecting the USB Modem, you might notice that it is recognized as a mass storage device, this can be checked by running the lsusb command:
To switch to HSDPA mode, run the following usb_modeswitch command:
> usb_modeswitch -W -I -v 12d1 -p 1f01 -M 55534243123456780000000000000011063000000100010000000000000000
Give it a couple of seconds and run the lsusb command again to see the difference:
Connect to the modem
To interact with the the modem we need to first connect to it, to do so you can use the screen command as follows (do note that the serial port may vary):
> screen /dev/ttyUSB0
We will be using AT commands to interact with the modem, so, if you type AT into the screen console and hit the ENTER key, you will receive an OK message if everything is working as expected.
AT (ENTER)
OK
Enable the echo function
If you typed AT but didn’t see the actual string “AT” in the screen console, it means that the echo function has not been enabled, to do so, type the command ATE1 and hit ENTER:
ATE1 (ENTER)
OK
Switch to PDU mode
In order to send an APDU message, we need to switch the modem to PDU mode, to do so, run the AT+CMGF=0 command and hit ENTER:
AT+CMGF=0 (ENTER)
OK
Send the APDU message
To send the APDU message run the command AT+CMGS=XX (where XX is the length of the entire message in bytes minus the SCA bytes, XX= 23 in this case) and hit ENTER:
AT+CMGS=23 (ENTER)
>
A greater than symbol (>) will come up; this means that the modem expects the following input to be the APDU message, enter the message, but, DO NOT hit enter, instead, use the combination of keys CTRL+Z to send the message.
>0001000B910516325476F800000BE8329BFD06DDDF723619 (CTRL+Z)
OK
Check for the message
After sending the APDU message, the recipient will receive the SMS text message with the user data (“hello world” in this case):
In part 2 of these series we will see how to send Over The Air (OTA) update messages to a recipient, this is essential for exploiting the SIM Jacker vulnerability.
References
[1] SIM Jacker Technical Paper
Hi, I’m following your steps to send an SMS in apdu format, but I have a question about it. I can’t find any information on the Internet, and it’s that when I press CTRL+Z on Linux, my message isn’t sent. The Linux terminal suspends the process. I don’t like it. please clarify this problem Thank you very much
Hi,
If you are following the above steps then it should work, as this is quite a simple first step. In the past I’ve faced some issues, but the modem usually provided some error code or message that I could use for troubleshooting. Are you getting any errors before or after hitting Ctl+Z?
Regards,
Cristian
hello،
What method did you use to convert this text “hello world” to “E8329BFD06DDDF723619”?
Hello,
thank you very much for your valuable series. I am very much concerned about the safety of my mobile banking accesses, as I am in one of the 30 countries identified that are vulnerable to SIMJacker. I would like to extensively test and secure my mobile connections and would like to follow the steps in this tutorial.
Which Linux distribution do you use for this? Is there particuar one that is most suitable for sending ADPU messages and at the same time is light-weight and can be run in parallel to Windows as virtual box?