![Page 1: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/1.jpg)
//
![Page 2: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/2.jpg)
GoBack
![Page 3: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/3.jpg)
Mobile AuthenticationSubspace Travel
Markus Vervier
May 28th, 2015
![Page 4: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/4.jpg)
whoami
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 2
■ Markus Vervier / @marver■ Background in security for over 10 years■ Main interests:
◆ Firmware◆ Network Security◆ Mobile Networks◆ Finding Bugs◆ Security Design
■ Working as Security Researcher and Penetration Tester forLSE Leading Security Experts GmbH
![Page 5: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/5.jpg)
Intro / What it’s all about
whoami
Intro / What it’sall aboutTopics of thisTalkAuthentication(Birds Eye)
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 3
![Page 6: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/6.jpg)
Topics of this Talk
whoami
Intro / What it’sall aboutTopics of thisTalkAuthentication(Birds Eye)
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 4
■ Authentication in mobile networks■ How millions of devices are exposing SIM-Cards■ How to have fun with baseband firmware■ Using this to foward mobile network authentication
![Page 7: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/7.jpg)
Authentication (Birds Eye)
whoami
Intro / What it’sall aboutTopics of thisTalkAuthentication(Birds Eye)
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 5
1
■ SIM-Card authenticates a user / his contract■ Provider AuC and SIM-Card share a secret key Ki
■ Challenge-Response Network-Authentication betweenMobile-Equipment (ME) and Network
■ Users have no access to Ki
1Source: UMTS Security, Valtteri, Niemi and Kaisa Nyberg
![Page 8: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/8.jpg)
May we Borrow your Identity for aWhile?
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
A Misconception
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 6
![Page 9: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/9.jpg)
A Misconception
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
A Misconception
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 7
■ Naive Idea: Authentication is secured by having a ”secure“SIM device that does it
![Page 10: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/10.jpg)
A Misconception
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
A Misconception
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 7
■ Naive Idea: Authentication is secured by having a ”secure“SIM device that does it
![Page 11: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/11.jpg)
A Misconception
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
A Misconception
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 7
■ Naive Idea: Authentication is secured by having a ”secure“SIM device that does it
■ Temporary Authentication tokens are derived from the secretkey Ki on the SIM
■ Then they leave the SIM!
■ They are valid on their own for a time!
![Page 12: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/12.jpg)
SIM Access
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 8
![Page 13: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/13.jpg)
SIM-Usage
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 9
■ Baseband manages the SIM-Card■ Sends command APDUs to the SIM-Card and processes
responses■ Passes stuff like SMS, SIM-Tookit, etc. to the AP
![Page 14: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/14.jpg)
Retrieving Authentication
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 10
■ No direct access to SIM by AP■ But there are indirect methods:
◆ AT-Command-Interfaces accessible via Bluetooth / USB◆ Vendor specific: Internal Android RIL calls
![Page 15: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/15.jpg)
SIM-Card-Access via AT+CSIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 11
Command Syntax:
AT+CSIM=<length>,<command>
Response Syntax:
+CSIM:<length>,<response>
■ Nobody listened tosecurity advice from 3GPP27.007: “Care must beexercised in AT commandsthat allow the TE to takeunintentionally controlover the SIM-MT interface(e.g. +CSIM);”
![Page 16: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/16.jpg)
Unprivileged Apps can Talk to the SIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 12
■ Should have no SIM access withtout privileges■ AT-Command-Prompt found on /dev/pts/XX on
MTK-Devices■ Bug: Permissions 0777 on older Alcatel Android devices!■ Unprivileged apps can query the SIM-Card via AT+CSIM■ Also other methods for SIM-Access at other vendors
(Samsung Galaxy S2 / S3)
![Page 17: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/17.jpg)
SIM-Card-Access Demo
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 13
DEMO
![Page 18: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/18.jpg)
Command-APDU
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 14
AT+CSIM=46,"00|88|00|80|11|FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
RAND
Lc (Length of Payload)CLA (Class)
INS (Command)
P1 (Algorithm)
P2 (Key Reference
![Page 19: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/19.jpg)
Response-APDU
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 15
+CSIM: 32, "04799AFC|13083F18786C33995BB8|9000"
SRES APDU Result Code
Kc
![Page 20: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/20.jpg)
Enter AT+EAUTH
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 16
■ Problem: AT+CSIM does not work on recent devices■ Solution: Vendors added new commands to help■ Dedicated commands for authentication: AT+EAUTH and
AT+ESIMAUTH■ Used for EAP-SIM / EAP-AKA e.g. to authenticate to a
WiFi using a SIM■ Also used to retrieve authentication to connect to a mobile
network
![Page 21: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/21.jpg)
SIM-Card-Access via BT-SAP
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 17
■ Purpose: Interoperability Car↔Phone■ Solution: Sim Access Profile■ Allows remote SIM usage via Bluetooth■ Specified in Bluetooth DOC: SAP SPEC■ Great! A Specified way to leak your network authentication!
![Page 22: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/22.jpg)
Dial Up Networking
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 18
■ USB or Bluetooth■ Works via AT-Commands■ Exposes a serial device■ Present on millions of older mobile phones■ Often exposed without user notification and interaction■ What could possibly go wrong?
![Page 23: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/23.jpg)
Dial Up Networking
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 18
■ USB or Bluetooth■ Works via AT-Commands■ Exposes a serial device■ Present on millions of older mobile phones■ Often exposed without user notification and interaction■ What could possibly go wrong?
![Page 24: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/24.jpg)
Dial Up Networking
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 18
■ USB or Bluetooth■ Works via AT-Commands■ Exposes a serial device■ Present on millions of older mobile phones■ Often exposed without user notification and interaction■ What could possibly go wrong?
![Page 25: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/25.jpg)
USB Modem Demo
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 19
DEMO
![Page 26: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/26.jpg)
A Blackhat Telco Operator
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 20
■ How many systems in the world are part of botnets?
![Page 27: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/27.jpg)
A Blackhat Telco Operator
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 20
■ How many systems in the world are part of botnets?■ Over 9000 for sure!
![Page 28: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/28.jpg)
A Blackhat Telco Operator
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 21
■ How many mobile phones are connected regularly to thesesystems via USB?
![Page 29: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/29.jpg)
A Blackhat Telco Operator
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 21
■ How many mobile phones are connected regularly to thesesystems via USB?
■ A lot!
![Page 30: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/30.jpg)
A Blackhat Telco Operator
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
SIM-Usage
RetrievingAuthenticationSIM-Card-Accessvia AT+CSIM
UnprivilegedApps can Talk tothe SIMSIM-Card-AccessDemoCommand-APDU
Response-APDU
EnterAT+EAUTH
SIM-Card-Accessvia BT-SAPDial UpNetworking
USB ModemDemoA Blackhat TelcoOperator
A Blackhat TelcoOperator
BasebandMobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 21
■ How many mobile phones are connected regularly to thesesystems via USB?
■ A lot!
■ Attacker-Goal: Authenticate to a mobile network using stolencredentials
■ As seen above: a lot of mobile phones expose their SIM cards■ A big pool of vulnerable devices available for malicious
purposes!
![Page 31: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/31.jpg)
Baseband
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 22
![Page 32: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/32.jpg)
What about it?
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 23
■ Acquire valid authentication vectors from a remote SIM■ What to do with it?■ We can forward authentication to a custom mobile device■ Boring - everyone wants off the shelf phones!■ So let’s take a stock baseband firmware and modify it!
![Page 33: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/33.jpg)
Baseband Overview
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 24
■ Takes care of communication with the mobile network■ Has direct access to the SIM-Card■ Usually proprietary■ Runs on (somewhat) separate CPU
![Page 34: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/34.jpg)
Baseband Hardware
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 25
■ Only a few significantvendors: Qualcomm,MediaTek, Spreadtrum,Marvell and Intel
■ Focus here: MediaTekPlaforms
■ Other BaseBand vendorsare more locked downtoday
■ A lot of previous workregarding Qualcomm
![Page 35: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/35.jpg)
Baseband Firmware
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 26
■ MTK Baseband based on Nucleus RTOS■ Loaded at boot-time by the Android-System running on the
AP from “/etc/firmware/modem*.img”■ MTK-Linux-Kernel-Module takes care of it■ Firmware on many MTK-Based-Phones not signed■ Logical separation between Baseband/Modem (BP) and
Application-Processor (AP)■ Communication between AP and BP: Shared RAM, UART
![Page 36: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/36.jpg)
Interfaces between AP and BP
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 27
■ AP and BP are logically separated but they have a lot ofintersections
■ On the AP side exposed as char devices or via kernel (ioctls)■ Modem-RMMI: AT-Commands■ Debug-Output■ Firmware-Control via AP (Reset, Exception Handling, etc.)
![Page 37: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/37.jpg)
CCCI / CCIF
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 28
■ CCCI (Cross Core Communication Interface): Handlesdata exchange between AP and BP
■ Exposed as different kernel drivers on the AP side■ Character devices (/dev/ccci*)■ Low-Level (CPU to CPU Interface called CCIF according to
MTK-Docs) for MT6582:
◆ 16 Physical channels (8 AP→MD, 8 MD→AP)◆ One 256bytes dual port SRAM
![Page 38: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/38.jpg)
Baseband Firmware - Structure
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 29
■ Uncompressed raw binary■ Partial image of the memory space starting at address
0x00000000■ No virtual memory■ Contains a trailer at the end
![Page 39: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/39.jpg)
Baseband Firmware - DEMO
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
What about it?BasebandOverviewBasebandHardwareBasebandFirmwareInterfacesbetween AP andBP
CCCI / CCIF
BasebandFirmware -StructureBasebandFirmware -DEMO
Adding Features
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 30
DEMO
![Page 40: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/40.jpg)
Adding Features
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 31
![Page 41: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/41.jpg)
Remote SIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 32
■ Goal: Transfer SIM commands to a remote mobile phone –but how?
![Page 42: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/42.jpg)
Remote SIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 32
■ Goal: Transfer SIM commands to a remote mobile phone –but how?
■ Modern phones have additional communication channelsbesides the mobile network
◆ Bluetooth◆ Dual-SIM◆ Data Connection of a second SIM◆ WiFi
![Page 43: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/43.jpg)
Remote SIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 32
■ Goal: Transfer SIM commands to a remote mobile phone –but how?
■ Modern phones have additional communication channelsbesides the mobile network
◆ Bluetooth◆ Dual-SIM◆ Data Connection of a second SIM◆ WiFi
■ BT-SAP (Sim-Application-Protocol) - works only for shortdistances
■ SIM commands can travel through unintended channels i.e.over TCP/IP
![Page 44: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/44.jpg)
Remote SIM Concept
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 33
Wifi
InternetProxy
![Page 45: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/45.jpg)
ShadowSIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 34
■ Allows usage of remote SIM-Cards■ Download from:
https://github.com/shadowsim/shadowsim
![Page 46: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/46.jpg)
ShadowSIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 34
■ Allows usage of remote SIM-Cards■ Download from:
https://github.com/shadowsim/shadowsim
■ Implements a virtual SIM-Card by patching theBaseband-Firmware of a Mediatek 6573 phone:
1. Identify the code that enables SIM-Access2. Change it to send APDUs to the AP and read
Response-APDUs
![Page 47: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/47.jpg)
ShadowSIM
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 34
■ Allows usage of remote SIM-Cards■ Download from:
https://github.com/shadowsim/shadowsim
■ Implements a virtual SIM-Card by patching theBaseband-Firmware of a Mediatek 6573 phone:
1. Identify the code that enables SIM-Access2. Change it to send APDUs to the AP and read
Response-APDUs
■ Implement a native Android-Application that processesAPDU-Commands:
1. Read a Command-APDU sent by the Baseband2. Send them over TCP to a remote system having
SIM-Access3. Write the Response-APDU back to Baseband
![Page 48: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/48.jpg)
ShadowSIM - Concept
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 35
![Page 49: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/49.jpg)
ShadowSIM - Baseband Communication
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 36
■ First idea: Use one of the UARTs as a communicationchannel to AP
■ Was a bad idea: UART communication is done asynchronousin Baseband, so lots of work writing and registering your ownhandler
■ Easier: Using shared memory■ Vendor application for debugging: mdlogger already uses
shared memory for log transfer■ Source code is published, so changing it for our purpose was
easy
![Page 50: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/50.jpg)
ShadowSIM - Firmware Modification
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 37
■ Things that help:
◆ Lots of assertions and debugging strings in the code◆ MediaTek firmware for various devices sometimes has
Debug-Symbols◆ MediaTek reuses code a lot (made it easier to compare
different firmwares)◆ No obfuscation
■ In general the code is quite well structured and functionalityis abstract - this makes patching easier
![Page 51: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/51.jpg)
ShadowSIM - DEMO
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 38
DEMO
![Page 52: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/52.jpg)
Wait a Minute
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Remote SIMRemote SIMConcept
ShadowSIMShadowSIM -Concept
ShadowSIM -BasebandCommunicationShadowSIM -FirmwareModificationShadowSIM -DEMO
Wait a Minute
Goodie
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 39
![Page 53: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/53.jpg)
Goodie
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Hardening
SIM ApplicationToolkit (STK /SAP)
Patching -DEMO
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 40
![Page 54: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/54.jpg)
Hardening
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Hardening
SIM ApplicationToolkit (STK /SAP)
Patching -DEMO
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 41
■ What else can we patch?■ Objective: Have a more secure baseband firmware.■ Best way: Create a new one from scratch.■ In the meantime: Patch existing ones.■ Always an improvement for security: Reducing the attack
surface■ So let’s turn off stuff!
![Page 55: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/55.jpg)
SIM Application Toolkit (STK / SAP)
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Hardening
SIM ApplicationToolkit (STK /SAP)
Patching -DEMO
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 42
■ Can work outside of user control■ ”value addded services“■ OTA commands sent to / via your SIM■ Used for attacks and surveillance■ Probably unwanted in ”hostile“ environments
![Page 56: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/56.jpg)
Patching - DEMO
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Hardening
SIM ApplicationToolkit (STK /SAP)
Patching -DEMO
Conclusion
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 43
DEMO
![Page 57: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/57.jpg)
Conclusion
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Results-Recap
THANK YOU
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 44
![Page 58: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/58.jpg)
Results-Recap
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Results-Recap
THANK YOU
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 45
■ Credentials can be acquired from a SIM card■ On many devices even over USB■ Dual-Use:
◆ Bad: Bad guys may steal your network identity◆ Good: New applications that free users from SIM cards,
allow them to share SIM cards
■ Non-Repudiation is gone for good – a SIM-Card in a mobilephone proves nothing
■ When your security model is from the 80s chances are high itdoesn’t work anymore
■ If YOU have ideas on what features to add / remove in abaseband firmware, contact me!
![Page 59: Markus Vervier - Mobile Authentication Subspace Travel.pdf](https://reader030.vdocument.in/reader030/viewer/2022021503/589d7b7d1a28abb3498ba499/html5/thumbnails/59.jpg)
THANK YOU
whoami
Intro / What it’sall about
May we Borrowyour Identity fora While?
SIM Access
Baseband
Adding Features
Goodie
Conclusion
Results-Recap
THANK YOU
Mobile Authentication Subspace Travel HITBSecConf2015 - Amsterdam – 46