HackedSim. Call from any number - fiction or reality?
Last week, an article about HackerSIM appeared with an intriguing title and promising content. The essence of the article was as follows: for a substantial amount, an order of magnitude greater than the cost of a regular sim card, some guys give you their sim card, which allows you to "safely call from any number from any country with any voice to selected numbers" (in quotes because that aggregation of theses from the previously mentioned article is cited here). After looking at the comments, it turned out that there is a lively interest in this topic, but no one has a precise understanding of how it works and whether it works at all.After a little thought with colleagues, we decided to tell how this service is realizable in real life.
Initially, we were skeptical about the content of the above article, apparently written by a layman in this field, so we decided to look at what is on the subject on the Internet. Here are a few resources ( safecalls.ru , video work , another video ) that convinced us of the performance of the proposed service (only the declared security of calls remained in question, since we could not see this on the video, so its presence will be discussed later) . In addition, such requirements were added as work with any mobile phones and smartphones, no need to install programs and internet connection.
Description of the service
We will try not to bore the reader with technical details and describe some processes at a rather abstract level. In the case of interest in some unlit details, please write questions in the comments. We hope this will complement the overall picture.
')
Connection and registration in the network
When installing a new SIM card, the first thing the phone tries to connect to the home network. As it has already been written many times, the phone sorts the available frequencies according to the signal level in descending order and then tunes in order to find their operator, until the process is successful. The considered sim card, as stated, works in any countries of the world, therefore, it is obvious that, as a rule, it does not work in the home network — the sim card is roaming and uses base stations provided by other operators for communication. Only other operators "just like that" do not provide their equipment to "not their own" customers, this happens only if roaming agreements are concluded between the operators.
However, firstly, the GSM association is trying to widely distribute standardized roaming agreements, and secondly, no one has checked how this SIM card works in other countries. According to unverified data in the modern world, most often everyone has these agreements with everyone, but it’s not what’s important here, but the fact that providers of such a service must have a licensed operator who provides them with sim-cards, and the operator has roaming agreements.
As it was just what was said by default, your phone connects to the base station with the highest signal level. But in order to ensure security, namely, protection from IMSI Catchers, when using this SIM card, the connection is made to the second BTS (Base Transceiver Station). From a technical point of view, this can only be done at a very low level, because the whole logic of working with a radio channel is performed by the baseband processor (the modem is a separate device in your phone with its own architecture and OS). The report “The Secret Life of SIM Cards” was presented at Defcon 21, from which it can be understood that the sim card has its own OS and its own applications. At the same time, applications on a sim card can display simple UI controls — for example, the Live Balance service is implemented in this way, open urls, send sms, make calls, receive notifications about the start / end of a call.
These applications are written in a strongly truncated version of the Java language and use the SIM Toolkit (STK) API for interaction. Documentation about the work of the SIM Applets and the baseband processor is small, but if the function of selecting the second base station with power works, then it can be realized with the help of the SIM Applet. This is really time-consuming and difficult work (perhaps even impossible - we have not studied the documentation on the baseband interface provided in detail), which can only be performed by a highly qualified specialist, but our opinion is that this function is not supported in these sim-cards, because It requires a lot of resources, and the result is not only dubious, and for the absolute majority of it is unnoticeable (not everyone can check). Therefore, this is most likely just a marketing ploy. Another argument in favor of the fact that this function is not implemented is that the written application must be “poured” onto the sim card. Naturally, not anyone can do this, but only the owner of the OTA Install Key, which is unique to each SIM card.
In the presentation above, there is a slide with the Shadytel operator and the sim card distributed by it with Ki, IMSI and OTA Install Key. We do not know if it is licensed, but if it is, and the organizers of the service “Hacker SIM” use this or a similar operator, then the user of this sim card should not sleep well, because while he is sleeping on his card, third parties can fill in the code ( because they know the OTA Install Key).
As for the forced use of the A5 / 1 encryption algorithm for traffic between MS and BTS with the participation of this sim card, this again refers us to the previous paragraph. The command to establish the encryption algorithm comes from MS MS BTS in a message Ciphering Mode Command Protocol Radio Resource Management (on top of LAPDm). Thus, the sim card needs to receive this packet from the baseband and, in the case of an “inappropriate” algorithm, reject the command and terminate the connection. For all this, the baseband should provide a very well-developed interface to the SIM card. And again, there is the problem of developing and installing an application on a sim card (it is not even clear what is more complicated). In addition, another rhetorical question arises: why only the A5 / 1 algorithm is used? It is clear that A5 / 1 is needed for compatibility with old equipment, but if the user's phone and the operator’s equipment support A5 / 3, then why not use it, after all, according to experts in the field of cryptography, it is safer? So most likely this feature is not implemented.
Make a call from any number
Now let's move on to the most interesting - what is shown in the video is confirmed by comments to the article, and therefore implemented - to make calls from absolutely any numbers.
The idea of ​​this reception is that for a call on telephone networks to identify the caller (Caller), two identifiers are used simultaneously: the identifier of the number that is billed, and the number displayed on the equipment of the party receiving the call (Callee).
Those who are interested in the details and details of this topic may be able to get acquainted with it in a little more detail:
For a start, it is important to understand that a regular telephone network actually consists of two. The first network is used to transmit user call traffic, the second is a packet-switched network, which is used to establish voice calls, terminate them, support various other features, such as caller id and special numbers starting with 800. This network is a common channel signaling system No. 7 (Signal System 7, SS7). Initially, only switching nodes and telecom operator database had access to it. However, access was later partially extended to PBX (private branch exchange - private corporate lines) to provide access to caller id and other SS7 features via ISDN PRI (the type of ISDN connection and cable used for it).
Obviously, with the possibility of manipulating signal information in SS7, there are ample opportunities for various tricks in the telephone network, including the substitution of the outgoing number. In order to understand how this is done, it is necessary to consider the process of setting up a call in a regular telephone network. During a call, the switch on the calling side generates and sends two messages to the receiving switch equipment over the SS7 signaling channel. The first message is called IAM (Initial Address Message). It contains the number of the subscriber to which they are trying to reach, as well as a special ANI (Automated Number Identification) number according to the old terminology, or as it is now called CHARGED DN. This number is used to identify the caller and billing (billing). To manipulate them, as a rule, is impossible. This number is generated and sent by the switching equipment of the service provider’s client. ANI or CHARGED DN is displayed when receiving a call from the emergency services (i.e. there is no option to call the Ministry of Emergency Situations with a fake number - ANI is displayed on the equipment, which cannot be changed in general) and can be received by private clients for incoming calls when using access to the telephone network using PRI or SIP.
The switching equipment of the receiving operator in response to the first IAM message forms the second, which is called the INR (Information Request) and in turn also sends it via the SS7 signaling channel to the switching equipment of the operator of the subscriber making the call.
In response to this message, the switching equipment of the operator of the subscriber making the call generates the second INF message. This message also contains that infamous CPN (Called Party Number) / Caller ID. This is the same number that is displayed on the phone screen when receiving an incoming call. In addition to the number itself, there may be a “privacy” flag in the message, which instructs the receiving switching equipment not to issue a number to the end-user equipment. If the subscriber has a service connected, which allows him to see all the incoming call numbers, the number will most likely be displayed regardless of the privacy flag.
Below is a schematic representation of the process of exchanging the messages described:
Caller ID can be changed by the switch included in the PBX and connected to the signaling channel via a PRI or SIP gateway.
It should be noted that the CPN / Caller ID can be sent immediately in the first IAM message, in which case the INR request and the INF response are not made. However, this does not change the essence: there is a separate number for which an invoice is issued, and a separate number that is simply displayed on the screen of the telephone that receives the call.
Obviously, with the possibility of manipulating signal information in SS7, there are ample opportunities for various tricks in the telephone network, including the substitution of the outgoing number. In order to understand how this is done, it is necessary to consider the process of setting up a call in a regular telephone network. During a call, the switch on the calling side generates and sends two messages to the receiving switch equipment over the SS7 signaling channel. The first message is called IAM (Initial Address Message). It contains the number of the subscriber to which they are trying to reach, as well as a special ANI (Automated Number Identification) number according to the old terminology, or as it is now called CHARGED DN. This number is used to identify the caller and billing (billing). To manipulate them, as a rule, is impossible. This number is generated and sent by the switching equipment of the service provider’s client. ANI or CHARGED DN is displayed when receiving a call from the emergency services (i.e. there is no option to call the Ministry of Emergency Situations with a fake number - ANI is displayed on the equipment, which cannot be changed in general) and can be received by private clients for incoming calls when using access to the telephone network using PRI or SIP.
The switching equipment of the receiving operator in response to the first IAM message forms the second, which is called the INR (Information Request) and in turn also sends it via the SS7 signaling channel to the switching equipment of the operator of the subscriber making the call.
In response to this message, the switching equipment of the operator of the subscriber making the call generates the second INF message. This message also contains that infamous CPN (Called Party Number) / Caller ID. This is the same number that is displayed on the phone screen when receiving an incoming call. In addition to the number itself, there may be a “privacy” flag in the message, which instructs the receiving switching equipment not to issue a number to the end-user equipment. If the subscriber has a service connected, which allows him to see all the incoming call numbers, the number will most likely be displayed regardless of the privacy flag.
Below is a schematic representation of the process of exchanging the messages described:
Caller ID can be changed by the switch included in the PBX and connected to the signaling channel via a PRI or SIP gateway.
It should be noted that the CPN / Caller ID can be sent immediately in the first IAM message, in which case the INR request and the INF response are not made. However, this does not change the essence: there is a separate number for which an invoice is issued, and a separate number that is simply displayed on the screen of the telephone that receives the call.
It is against the law to act on the first identifier (it is called ANI (Automated Number Identification) or CHARGED DN) and, as a rule, impossible. The second parameter (Caller ID) can be manipulated by any PBX (private branch exchange - private corporate lines) connected to ISDN. Thus, anyone with access to a telephone line via SIP or PRI can change the Caller ID to which one he wants without worrying about the consequences. ISDN telecom operators usually do not check if Caller ID is real. VoIP providers are even less prone to reducing the functionality of their clients.
From this it follows that the number displayed on the screen of the receiving side is very easy to replace. It is also clear that anonymity is completely absent when making a call on the public telephone network. This is achieved by ANI or CHARGED DN. It is on the basis of this number that the systems of investigative and investigative measures work, while Caller ID does not interest anyone in such cases.
Practical guidance on how to do it yourself, you will find on request in the search engine "Caller ID spoofing".
By the way, looking ahead, let's say that only calls have Caller ID. When sending sms, a message with this field is not used. This explains the fact that the proposed sim-cards do not support sending sms. Although it is presented on the site as for "security purposes".
Installing a PBX - in fact, a regular telephone network in the office - is not difficult, both financially and administratively. The PBX, in turn, connects to the public telephone network using PRI (the provider pulls the cable to your office), or using SIP, not through a telephone cable, but via an available Internet channel. As a result of this event, your office is allocated a pool of city numbers from which and to which you can freely call.
Summarizing what has just been said: to call from an arbitrary number, you simply need to order access to the telephone network via PRI or an SIP telephone service provider from SIP, with the ability to manipulate some parameters of voice calls (in particular Caller ID) from an ISDN telephone operator.
The official regulator of the FCC (Federal Communications Commission, the Federal Communications Commission of the United States) has the following opinion: “Telecom operators should provide the correct number to be displayed for the course user, and, if possible, the name of the company making the call.” Providing inaccurate information for US operators provides for fines. However, the situation when Caller ID is not changed by the operator is not regulated in any way even in the USA.
But using this approach, you can call with an arbitrary number (as we found out it is Caller ID) only from the phone of the organization that owns the PBX, and arbitrary number service providers state and demonstrate in numerous videos that you can call with a given number from any mobile phone in the absence of the Internet and any third-party software.
The solution to this problem seems to us really interesting (you can even say hacker). The process of calling from a mobile phone to another with an arbitrary outgoing Caller ID is shown in the diagram:
The diagram shows how the subscriber with the number 1234567 (we will call his subscriber A) calls the subscriber 7654321 (subscriber B) with an arbitrary number.
First of all, according to the instructions from one of the sites that provide a sim card service with the ability to change the outgoing number, you need to enter a USSD command such as 150 * phone_number *, which subscriber A does.
The phone is connected to the network, it is roaming, so the first two steps shown in the diagram are performed trivially, in full compliance with the GSM documentation. In the third step, the MSC (Mobile Switching Center), according to its routing tables, sends a request to the HLR of the home operator of the sim card and receives an indication to redirect the USSD to the number 1234123, which in turn is the office phone of the organization connected to the PBX. The latter, with the help of a cable laid by an ISDN provider, is connected to SS7 via PRI ISDN. Thus, at the 4th step, the original USSD team reaches the ATC of the distributors of this SIM card. On this equipment, probably, specific software is launched, which, by this request, adds itself a rule to replace the number from which the request came to the number in the USSD command.
Then subscriber A makes a call to subscriber B. Steps 1-5 are exactly repeated and the call reaches the PBX, after which it “resets” subscriber A. The application on the PBX in turn, using Caller ID spoofing to change the number, makes a call to the numbers of subscribers A and B. The call comes to subscriber A and he is “highlighted” either by a random number or by a phone number connected to the PBX, the call goes in parallel to subscriber B, he sees a fake phone number on the phone screen and picks up the phone. Further, the PBX simply "forwards" the traffic that is transmitted during the conversation of subscribers.
It is worth noting that although the calls are established through a third-party PBX, this does not add anonymity, since this PBX can always be found physically - it is registered. And after that, the right people will surely find out who is calling and why through it, match the time of the calls and get the data in no way inferior to the call details that can be obtained from the operator if the subscriber makes a call from a regular SIM card.
Since it is claimed that all voice traffic passes through one PBX, it is easy to guess that the tone of the subscriber’s voice changes there. But this creates additional risks - since all calls pass through it, it is not difficult to write / save / analyze them there.
findings
In conclusion, I would like to express the opinion that the call from any number with the chosen tone of voice is a thing that is indisputably steep for pranks and jokes - we are sure that now any reader will be able to do, security of conversations not exceeding the usual one, and in some places inferior to default security in 2G networks (operators often use A5 / 3, we don’t even talk about 3G networks), lack of declared anonymity and protection against wiretapping, lack of support for SMS and the Internet, and the potential for collecting your goal cial traffic by third parties (after all, it is clear that they can not only change the tone of voice, but also parallel to store and analyze) - questionable service for a lot of money even taking into account the cost of roaming.
Separately, I would like to highlight the "hacker" idea of ​​developers who are using the capabilities offered by the operator, absolutely legally (except, perhaps, selling sim-cards without documents) - and in fact many of them first asked about the legality of this service - organized this service . But, unfortunately, this is the case when everything looks much more attractive than it actually is.
It should be noted that the proposed implementation of this service with a high degree of probability coincides with that sold by people selling it. But at the same time, we should not forget that we can be wrong. For the same, to dot all the “i”, you need to purchase this SIM card and investigate how it works. But the cost of this event cools the research fervor.
Source: https://habr.com/ru/post/268789/
All Articles