HackerSIM: Debriefing

[Man]

Recently, many articles have appeared on Habr and Geektimes about a SIM card endowed with unprecedented and unheard-of capabilities, which has caused concern and interest in various circles. A lot of skepticism and debates appeared, and then various theories, sometimes amazing in their fantasticness. Let's try to lift the veil of secrecy from the technical side. Naturally, these tests would not have been possible without this SIM card, which MagisterLudi kindly provided to us .

For those who do not want to read a lot of letters, I will summarize: there is no forced encryption, no protection from interception systems, no connection to the second-strongest BS signal, there is number substitution, there is voice substitution, there is billing, there is no IMSI concealment, there is no location concealment.

Let's start in order.

First disappointment​

The SIM card does not have the Anonymous logo, which was shown in the very first article. Here is what HackerSIM actually looks like:

We decided not to continue the research here - after all, the logo was the main feature.

Whose is it?​

The ICCID of the SIM card (printed on it) tells us the following:

We insert the SIM card into the phone, and the first thing we see is that we are in roaming, connected to MTS, and the third line, which is impossible not to pay attention to: AY Security - it immediately tells whose SIM it really is: www.aysecurity.co.uk/ru/aysim.html

Interestingly, a modern phone displays completely different information (it remains a mystery what “GT” means):

The site claims the following “unique” features:

• caller ID spoofing,
• forced encryption,
• protection against interception systems,
• voice substitution,
• cost optimization,
• hiding real IMSI,
• hiding real location,
• virtual number.

The first and fourth points have already been actively discussed on Habr, so we will not touch on them, but will try to understand the rest, which are much more “murky”.

Forced encryption​

"This function prohibits your SIM card from reducing the encryption level and forces it to ignore commands from operators or interception systems to disable the encryption key generation algorithm (A8) stored in the SIM module. Thus, all your conversations are encrypted using the A5.1 algorithm."

In fact, initially, all transmission is carried out without encryption, and encryption is enabled by a command from the operator Ciphering Mode Command. Here is an example from a real network (HackerSIM is used):

However, this works exactly the same on all other SIM cards, since encryption is usually used in all Russian networks. To check the "prohibition" of working without encryption, let's connect to OpenBTS and try to call:

At first, it really seems that the SIM card somehow found out that there is no encryption and blocked the call. (But in fact, this is not the case, more on that below, and also pay attention to the "Calling ..." window at the bottom of the screen.) However, if you try to call several times in a row (in our case, three times), the call goes through:

Incoming calls go through without problems and the conversation also goes through without problems:

It is worth noting: the manufacturer claims that the ban on the lack of encryption applies specifically to voice, in the fake network without encryption, both incoming and outgoing SMS are transmitted without problems.

Protection against interception systems​

This function gives the subscriber the ability to become invisible to mobile interception systems. The principle of the interception system is based on replacing a real base station, thus becoming, in fact, a priority for all phones within its range. A phone with our software ignores bases with the highest signal level.

Generally speaking, the phone does not select by the signal level, but by the C2 parameter, which depends on the current signal level, the minimum acceptable signal for this BS, and the BS priority. Therefore, the very idea that this saves from a fake BS is a misconception. For example, OpenBTS deployed on SDR has a power of about 100 mW, which is less than the phone itself can (up to 1 W), and much less than a standard base station. Thus, interception is achieved not by a high power level, but by a high priority. And the fact that the phone uses a less powerful BS only means that its priority is higher.

To measure the power, C1 and C2 parameters, we used the Greenhead application .

And a few screenshots - a list of neighboring and serving channels (BCCH - arfcn, SC - serving cell, N1 - neighbor cell 1, etc.).

1. HackerSIM on the most powerful and highest priority BS

2. HackerSIM on a not so powerful, but highest priority BS

3. We turn on the "interception complex", and... HackerSIM easily connects to it, although, to be precise, it is the phone that connects, since the SIM card does not control the choice of cells, and HackerSIM is no exception:

4. Having captured the phone, the fake network no longer reports on neighbors, so the phone has no choice but to be in the fake network for as long as the attacker wants, or until it leaves its coverage area:

Cost optimization​

This point sounds quite original, taking into account the cost of both the SIM card itself and its maintenance.

Hide real IMSI. Hide real location. No billing. Virtual number.​

It is stated that there is no billing, and that is why it is allegedly impossible to track this subscriber. However, if there is no billing, who provides this information?

Location tracking is carried out via the SS7 network using the attacks we described [http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf]. To do this, it is enough to know the subscriber's IMSI. Usually it is found out by the phone number; we do not know the phone number of our HackerSIM, and according to the instructions on the site, for some reason it is not shown to us (there should also be a DID here, by which you can call us):

We cannot check the "virtuality" of this number, because we do not know it. But IMSI can be found out from the radio, for example, when connecting the phone to the network:

The phone sends a Location Update Request, the network requests IMSI (Identity Request), the phone says its IMSI (Identity Response), after which session keys are generated (Authentication Request and Authentication Response), and only then the encryption command is received. In other words, IMSI can be intercepted in the radio network, even without breaking the encryption, but it cannot be otherwise: this is how the cellular network works.

There is still one unresolved issue mentioned on Habr. When registering a phone in a roaming network, a request is made to the home network, but then all calls must go through the guest network. So how do all outgoing calls go through the PBX? The answer is original, but simple enough.

When we tried to call through the Motorola C118, the call was dropped, and no one called back. The same thing happens when using the mobile utility from the osmocom-bb package:

By the way, SMS are dropped for an even more interesting reason:

But let's get back to the question of why the outgoing call doesn't work in the old Motorola, while in a modern phone it is dropped, and then the PBX calls back. A radio dump reveals the secret:

During an outgoing call, instead of a call setup message (Setup), the phone sends a USSD with the number of the called subscriber, who wanders around the world for a long time, getting to his home Netherlands, then a USSD response comes with a simple phrase Calling start, and then an incoming call comes with the usual sequence Setup, Call Confirmed, Assigned Command.

Thus, any outgoing activities except USSD are prohibited for the SIM card, and they are prohibited by the home network. And the call itself is intercepted by the application on the SIM card and replaced with USSD with the called number, this goes to the home network, at this time the application ends the call, displays the message "Calling..." on the screen and waits for a response to USSD; it also checks the use of "encryption" in the network. If USSD is unsuccessful or the Calling start response does not come, it simply blocks the call (what we saw in the fake network).

However, apparently, the performance of the SIM card does not allow intercepting all calls, and having filled it with calls, they begin to go directly.

We tried to repeat this in a real network to make a call bypassing the PBX, but all calls are “bounced” by the network there, since, as mentioned above, all outgoing activities are prohibited for HackerSIM.

The most attentive could notice the Identity Request request before the USSD response in the previous screenshot. This message is used by the network to receive the IMSI or IMEI from the phone.

Let us remind you that IMEI is generally an optional identifier in a cellular network and may never be requested. So someone collects them, and not by accident. There is no anonymity when using HackerSIM: they know who, where, when and where.

Now, knowing the secret of outgoing calls, we can call both from an old Motorola and from the mobile utility of the osmocom-bb package.

Multi IMSI/Ki​

To change the IMSI/Ki pair, you need to use the SIM card menu:

Callback on/off — turns on (off) the SIM card application that replaces outgoing calls with USSD.

Menu — there is nothing there except Exit.

Reset sim profile — resets TMSI and Kc (session key).

About —

Select Location — select IMSI/Ki.

Global — IMSI 22201xxxxxxxxxx, belonging to the Italian operator TIM.

Global+ — IMSI 20404xxxxxxxxxx, belonging to the Dutch operator Vodafone Libertel.

USA — IMSI 310630xxxxxxxxx, does not belong to a specific operator, used in various Global SIMs.

Prime — IMSI 23418xxxxxxxxxx, belonging to the British Cloud9/wire9 Tel.
All IMSIs, except Global+, are not registered in Russia for one of these two reasons: Not everything is smooth

in the Global+ mode either.

List of preferred networks (where it will definitely work):

List of preferred PLMNs:

MCC |MNC
-------+-------
234 |15 (Guernsey, Vodafone)
262 |02 (Germany, Vodafone)
208 |10 (France, SFR)
222 |10 (Italy, Vodafone)
214 |01 (Spain, Vodafone)
505 |03 (Australia, Vodafone)
228 |01 (Switzerland, Swisscom)
206 |01 (Belgium, Proximus)
404 |20 (India, Vodafone IN)
404 |11 (India, Vodafone IN)
404 |27 (India, Vodafone IN)
404 |05 (India, Vodafone IN)
404 |46 (India, 46)
272 |01 (Ireland, Vodafone)
202 |05 (Greece, Vodafone)
232 |01 (Austria, A1)
655 |01 (South Africa, Vodacom)
286 |02 (Turkey, Vodafone)
238 |01 (Denmark, TDC)
268 |01 (Portugal, Vodafone)
260 |01 (Poland, Plus)
230 |03 (Czech Republic, Vodafone)
250 |01 (Russian Federation, MTS)
216 |70 (Hungary, Vodafone)
226 |01 (Romania, Vodafone)
244 |05 (Finland, Elisa)
602 |02 (Egypt, Vodafone)
219 |10 (Croatia, VIPnet)
620 |02 (Ghana, Ghana Telecom Mobile / Vodafone)
255 |01 (Ukraine, MTS)

There are no prohibited networks, but when trying to register in Beeline and TELE2, a refusal comes from the home network, MegaFon works, MTS is preferred (in the SIM card)

This is what happens when trying to connect to Beeline:

So, if this SIM works in any country in the world, it definitely does not work in any network in the world.

Conclusions​

The used scheme of outgoing calls can cause problems in finding the initiator of the call, but only on condition that the PBX is located abroad and does not contact the special services in any way, and the telecom operators do not know and do not want to know about the existence of such specific SIM cards. However, if you want to track the activity of everyone who uses such SIM cards, it is not difficult: the only difference is that you will need to look for slightly different information than usual. The

SIM card itself does not have any fantastic or hacker properties.

Source