HackerSIM: small explanation (comment)
This minipublication is a detailed commentary on the HackerSIM publication.
So.
1. The article is entitled “HackerSIM: fake any phone number. CTF Social Engineering. No one can steal your number or your ID (IMSI). Much has been written about the security of mobile networks and there is no point in repeating this. The main postulate is very simple: as long as there are no hacker bookmarks in your pocket or in your handset and in the handset, no one can steal a number by using a SIM card. The consequence is that no one will be able to call another subscriber at your expense ... The option when attackers receive a new SIM from your operator, instead of yours, does not matter in this context, since this is a legal issue, not a technical one
')
2. Any SIM card should have at least a virtual infrastructure to which it is “tied” with all the ensuing consequences: roaming, the cost of all basic services, the availability of mobile Internet and its cost. I'm not saying that the virtual infrastructure needs to be connected somewhere, and all such connections are strictly regulated by local laws in almost any country. If we assume that there is such a country that agrees to connect such a virtual server to itself, this does not mean that the Russian mobile operator will agree to roaming with a strange infrastructure.
3. It is only hiding your phone number from the mobile operator of the receiving subscriber. As for hiding the number to the receiving subscriber, there is a CLIR . We will not talk about the services of hiding IMSI and voice distortion.
4. The choice of "honeycomb."
Excuse me, here the phone itself (handset) is engaged in choosing a network and choosing a particular “cell” with which it is going to work. SIM can not affect the choice of "cell" within a particular operator, as it is the prerogative of the phone and SIM can only get information about it. In addition, if a voice connection is established on 2g / 3g technologies, the transition to another cell is controlled by the base station, according to the information provided by the phone itself. And even here SIM cannot change anything. Do not believe? Learn materiel and do not forget here .
5. Regarding encryption. In mobile communication, encryption is used only to the nearest base station (or a separate subsystem), and there everything is in open form. On the receiving side, respectively, encryption may also be present, only this already depends on the receiving network. End-to-end encryption (between users directly) is possible, but only through a special handset or, more correctly, a phone with a special internal software, which naturally will not be cheap. Since we always have a “SIM-infrastructure” bundle, the encryption algorithm depends on the network in which roaming is performed (or home network) and the set of algorithms that exist in the SIM-infrastructure bundle. And now the most important thing: the A5 / 1 algorithm is prohibited to use so much that all modern phones are checked during certification that they do not support it. This is due to the fact that it was hacked at one time, and now its source can be found on the web as educational material. You do not need to force anything and anyone in the mobile communication, everything is encrypted whenever possible.
On the one hand, all this fuss is started as protection against catchers, on the other hand, the process of enforcing the reduction of encryption to a level that can already be found on the network is described. I will not raise the question of how realistic this is and how it relates to the pair IMSI + Ki.
But ultimately it turns out like in that joke: “Heim, you either remove the cross or put on your underpants”
6. The author began the story with GSM, and it is not known what finished. I will reveal a little secret. In the networks of the second and third generation, the telephone number is never transmitted over the air during the establishment of a connection (from the point of view of the connection source). A file that is in the SIM, served (up to the 4th generation) only as information. By the way, in the old tubes it was possible to edit it and write down any number, for example, the neighbor's grandmother. It is also necessary to understand that in modern networks the subscriber number is absolutely virtual and can even change dynamically. Most importantly, at the level of the receiving subscriber and the network of the receiving subscriber, the number of the caller may simply be absent. Yes, he can be present, even so no one guarantees that the number is real and this information is transmitted over the air in encrypted form.
7
The interception complex can redirect commands anywhere, just no one guarantees that the source of the connection is generally a mobile network or an old analogue system with the capacious English term POTS , therefore the complex may simply not receive a response.
With regard to the fact that HackerSIM does not belong to any of the operators, this is not so. As soon as you connect your server to the telephone network with your SIM and you have roaming, it means that you are an operator, albeit a virtual one. Yes, you can have several profiles (profiles), but what does it mean to MSISDN? Moreover, I’ll reveal the secret anywhere in the standard that the MSISDN number is strictly tied to the IMSI. Since the GSM system itself has installed ISDN services, then each subscriber can have several numbers (up to 8, I think), for example, one or several for voice, the second for fax, the third for date, the fourth for video, and so on
A warning
- I, as a professional, could not fail to write this comment, as there are many technical inaccuracies due to which an unknowing user will get wrong ideas about modern communication.
- I have nothing to do with the Russian or any other mobile operator in any way and this answer is rather an explanation for the readers and expresses my personal point of view.
- Immediately apologize for my language. I have been trying for many years to understand that the language in which I speak and think is not quite Russian .
So.
1. The article is entitled “HackerSIM: fake any phone number. CTF Social Engineering. No one can steal your number or your ID (IMSI). Much has been written about the security of mobile networks and there is no point in repeating this. The main postulate is very simple: as long as there are no hacker bookmarks in your pocket or in your handset and in the handset, no one can steal a number by using a SIM card. The consequence is that no one will be able to call another subscriber at your expense ... The option when attackers receive a new SIM from your operator, instead of yours, does not matter in this context, since this is a legal issue, not a technical one
')
2. Any SIM card should have at least a virtual infrastructure to which it is “tied” with all the ensuing consequences: roaming, the cost of all basic services, the availability of mobile Internet and its cost. I'm not saying that the virtual infrastructure needs to be connected somewhere, and all such connections are strictly regulated by local laws in almost any country. If we assume that there is such a country that agrees to connect such a virtual server to itself, this does not mean that the Russian mobile operator will agree to roaming with a strange infrastructure.
3. It is only hiding your phone number from the mobile operator of the receiving subscriber. As for hiding the number to the receiving subscriber, there is a CLIR . We will not talk about the services of hiding IMSI and voice distortion.
4. The choice of "honeycomb."
HackerSIM works only with the hundredth signal level, which is the second in its value. This algorithm provides protection against interception complexes.
Excuse me, here the phone itself (handset) is engaged in choosing a network and choosing a particular “cell” with which it is going to work. SIM can not affect the choice of "cell" within a particular operator, as it is the prerogative of the phone and SIM can only get information about it. In addition, if a voice connection is established on 2g / 3g technologies, the transition to another cell is controlled by the base station, according to the information provided by the phone itself. And even here SIM cannot change anything. Do not believe? Learn materiel and do not forget here .
5. Regarding encryption. In mobile communication, encryption is used only to the nearest base station (or a separate subsystem), and there everything is in open form. On the receiving side, respectively, encryption may also be present, only this already depends on the receiving network. End-to-end encryption (between users directly) is possible, but only through a special handset or, more correctly, a phone with a special internal software, which naturally will not be cheap. Since we always have a “SIM-infrastructure” bundle, the encryption algorithm depends on the network in which roaming is performed (or home network) and the set of algorithms that exist in the SIM-infrastructure bundle. And now the most important thing: the A5 / 1 algorithm is prohibited to use so much that all modern phones are checked during certification that they do not support it. This is due to the fact that it was hacked at one time, and now its source can be found on the web as educational material. You do not need to force anything and anyone in the mobile communication, everything is encrypted whenever possible.
On the one hand, all this fuss is started as protection against catchers, on the other hand, the process of enforcing the reduction of encryption to a level that can already be found on the network is described. I will not raise the question of how realistic this is and how it relates to the pair IMSI + Ki.
But ultimately it turns out like in that joke: “Heim, you either remove the cross or put on your underpants”
6. The author began the story with GSM, and it is not known what finished. I will reveal a little secret. In the networks of the second and third generation, the telephone number is never transmitted over the air during the establishment of a connection (from the point of view of the connection source). A file that is in the SIM, served (up to the 4th generation) only as information. By the way, in the old tubes it was possible to edit it and write down any number, for example, the neighbor's grandmother. It is also necessary to understand that in modern networks the subscriber number is absolutely virtual and can even change dynamically. Most importantly, at the level of the receiving subscriber and the network of the receiving subscriber, the number of the caller may simply be absent. Yes, he can be present, even so no one guarantees that the number is real and this information is transmitted over the air in encrypted form.
7
the operator on his part or the interception complex sends a service command to the number of the mobile subscriber MSISDN. In a conventional SIM card, the MSISDN mobile number is tied to a specific IMSI + Ki pair and is stored by the issuer operator. HackerSIM does not belong to any of the operators and does not have a tightly bound MSISDN, since it has several profiles.
The interception complex can redirect commands anywhere, just no one guarantees that the source of the connection is generally a mobile network or an old analogue system with the capacious English term POTS , therefore the complex may simply not receive a response.
With regard to the fact that HackerSIM does not belong to any of the operators, this is not so. As soon as you connect your server to the telephone network with your SIM and you have roaming, it means that you are an operator, albeit a virtual one. Yes, you can have several profiles (profiles), but what does it mean to MSISDN? Moreover, I’ll reveal the secret anywhere in the standard that the MSISDN number is strictly tied to the IMSI. Since the GSM system itself has installed ISDN services, then each subscriber can have several numbers (up to 8, I think), for example, one or several for voice, the second for fax, the third for date, the fourth for video, and so on
Source: https://habr.com/ru/post/268403/
All Articles