attacks thin sim-based mobile money kurtis heimerl rowan ... · what do sim cards do identify users...
TRANSCRIPT
![Page 1: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/1.jpg)
Thin Sim-Based Mobile Money AttacksRowan Phipps, Shrirang Mare, Peter Ney, Jennifer Rose Webster, Kurtis Heimerl
![Page 2: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/2.jpg)
Goals
Investigate security vulnerabilities introduced by thinSIMs
Propose possible defenses for these vulnerabilities
![Page 3: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/3.jpg)
What do SIM cards do
● Identify users on the network● Authenticate the device on the network● Call Control● Run Sim Toolkit (STK) apps
![Page 4: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/4.jpg)
What are STK apps
● Run on the SIM card● Consists of menus and input
prompts● Defined by GSM 11.14
![Page 5: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/5.jpg)
Normal SIM app operations
![Page 6: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/6.jpg)
What is USSD
Unstructured Supplementary Service Data
● Dialed like a voice number● No records are stored on the device● Provides a text only interface
![Page 7: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/7.jpg)
What is USSD
Connects to the USSD service at 123
Connect to the USSD service at 123 and enters 1 at the first prompt
*123#
*123*1#
![Page 8: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/8.jpg)
Bladox Turbo SIM
TAISYS SIMoME ®
Thin Sims
![Page 9: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/9.jpg)
Thin Sims
● Field installable● Contains all the functionality of a sim card● Allows third party apps● Free from carrier restrictions● Can read and modify all communication between the phone and the sim card
![Page 10: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/10.jpg)
Reasons For Installation
● Distribution of apps● Cell phone unlocking● Malicious Installation
![Page 11: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/11.jpg)
The Rise of M-Pesa● Founded by Safaricom in 2007● Transfers the equivalent of 44% of the
Kenyan GDP● Has since expanded to many other
countries.● Runs primarily through an STK app
![Page 12: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/12.jpg)
Equity Bank
● Tried to launch their own stk based mobile money platform● Decided to use thin SIMs to distribute their app● Safaricom opposed this citing security concerns● Court ruled in favor of Equity bank in 2015
![Page 13: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/13.jpg)
An app running on the thin SIM
![Page 14: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/14.jpg)
App running on the original sim card with a thin SIM installed
![Page 15: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/15.jpg)
What if the thin SIM is not friendly?
![Page 16: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/16.jpg)
Thin SIM Capabilities
● Intercept, modify and create stk commands● View responses to stk commands in plain text● Send SMS with or without notifying the user● Log and redirect calls (both voice and USSD)● Make USSD calls without the user’s knowledge● Track location updates● Perform GSM authentication actions● Read data from the sim card including the IMSI and phonebook.
![Page 17: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/17.jpg)
Thin SIM Capabilities
● Intercept, modify and create stk commands● View responses to stk commands in plain text● Send SMS with or without notifying the user● Log and redirect calls (both voice and USSD)● Make USSD calls without the user’s knowledge● Track location updates● Perform GSM authentication actions● Read data from the sim card including the IMSI and phonebook.
![Page 18: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/18.jpg)
M-Pesa STK app attackSafaricom and Airtel both have sim app based mobile money platforms that facilitate large amounts of trade however we primarily focused on M-Pesa.
The attack takes place in two phases:
1. Steal Credentials2. Make fraudulent payments
![Page 19: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/19.jpg)
Phase 1: Get Credentials
Phone Thin Sim Sim card
![Page 20: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/20.jpg)
Phase 1: Get Credentials
1. Transparently passes STK commands
Phone Thin Sim Sim card
![Page 21: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/21.jpg)
Phase 1: Get Credentials
1. Transparently passes STK commands2. Listens until the sim asks for the user’s PIN
“Enter Pin”“Enter Pin”
Phone Thin Sim Sim card
![Page 22: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/22.jpg)
Phase 1: Get Credentials
1. Transparently passes STK commands2. Listens until the sim asks for the user’s PIN3. Stores the response
“1234” “1234”
Phone Thin Sim Sim card
![Page 23: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/23.jpg)
Phase 2: Make Payments
Phone Thin Sim Sim card
![Page 24: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/24.jpg)
Phase 2: Make Payments
Phone Thin Sim Sim card
1. Status Update
![Page 25: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/25.jpg)
Phase 2: Make Payments
Phone Thin Sim Sim card
1. Status Update 2. Spoof Transaction
![Page 26: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/26.jpg)
Phase 2: Make Payments
Phone Thin Sim Sim card
1. Status Update 2. Spoof Transaction
3. SMS Callback
![Page 27: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/27.jpg)
Phase 2: Make Payments
Phone Thin Sim Sim card
1. Status Update 2. Spoof Transaction
3. SMS Callback4. Send silent SMS
![Page 28: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/28.jpg)
Thin SIM Capabilities
● Intercept, modify and create stk commands● View responses to stk commands in plain text● Send SMS with or without notifying the user● Log and redirect calls (both voice and USSD)● Make USSD calls without the user’s knowledge● Track location updates● Perform GSM authentication actions● Read data from the sim card including the IMSI and phonebook.
![Page 29: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/29.jpg)
Thin SIM Capabilities
● Intercept, modify and create stk commands● View responses to stk commands in plain text● Send SMS with or without notifying the user● Log and redirect calls (both voice and USSD)● Make USSD calls without the user’s knowledge● Track location updates● Perform GSM authentication actions● Read data from the sim card including the IMSI and phonebook.
![Page 30: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/30.jpg)
Call Control Mechanism: Allow
Call Control
Call (123) 456 7890
Allow, unmodified
![Page 31: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/31.jpg)
Call Control Mechanism: Modify
Call Control
Call (123) 456 7890
Redirect to:(111) 222 3333
![Page 32: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/32.jpg)
Call Control sounds harmless enough right?
![Page 33: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/33.jpg)
Call Control attacks
● Call tracking for targeted advertising, surveillance, or blackmail● Phishing attacks● Premium rate calls● Redirect USSD calls
![Page 34: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/34.jpg)
This attack also consists of two phases
1. Steal Credentials2. Make Transactions
Requires the attackers to set up their own USSD service.
USSD Attack
![Page 35: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/35.jpg)
USSD Attack Phase 1
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
![Page 36: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/36.jpg)
USSD Attack Phase 1
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *1234#
![Page 37: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/37.jpg)
USSD Attack Phase 1
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *1234#
2. Redirect to *5678#
![Page 38: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/38.jpg)
USSD Attack Phase 1
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *1234#
2. Redirect to *5678#
3. Send Payment Details
![Page 39: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/39.jpg)
USSD Attack Phase 1
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *1234#
2. Redirect to *5678#
3. Send Payment Details
4. Error
![Page 40: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/40.jpg)
USSD Attack Phase 2
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *5678#
![Page 41: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/41.jpg)
USSD Attack Phase 2
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *5678#2. Payment details
![Page 42: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/42.jpg)
USSD Attack Phase 2
Legitimate USSD Service *1234#
Attacker’s USSD Service*5678#
1. Call *5678#2. Payment details
3. Make transaction
![Page 43: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/43.jpg)
Thin SIM Capabilities
● Intercept, modify and create stk commands● View responses to stk commands in plain text● Send SMS with or without notifying the user● Log and redirect calls (both voice and USSD)● Make USSD calls without the user’s knowledge● Track location updates● Perform GSM authentication actions● Read data from the sim card including the IMSI and phonebook.
![Page 44: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/44.jpg)
Thin SIM Capabilities
● Intercept, modify and create stk commands● View responses to stk commands in plain text● Send SMS with or without notifying the user● Log and redirect calls (both voice and USSD)● Make USSD calls without the user’s knowledge● Track location updates● Perform GSM authentication actions● Read data from the sim card including the IMSI and phonebook.
![Page 45: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/45.jpg)
Possible Defenses
![Page 46: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/46.jpg)
Possible Defenses
● Disable call control○ Requires modifying the standard
● Disable the ability to silence outgoing sms and USSD● Discourage the use of thin sims by allowing third party apps on carrier sims● For STK and USSD: Send confirmation code via sms
![Page 47: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/47.jpg)
Summary
Developed two proof of concept attacks against mobile money utilising thin Sims.
Demonstrated the Thin Sims have the potential to be dangerous and to discourage their usage.
Finally, we proposed possible defenses and explained why other defenses are infeasible.
![Page 48: Attacks Thin Sim-Based Mobile Money Kurtis Heimerl Rowan ... · What do SIM cards do Identify users on the network Authenticate the device on the network ... Contains all the functionality](https://reader033.vdocument.in/reader033/viewer/2022051916/600853b46260f02a3f4d0080/html5/thumbnails/48.jpg)
Questions?