Saturday, September 28, 2013

MTEB Diploma CSUT2 Partner

 


Diploma for SIM and USIM Technology Examination
Mobile Telephone Diploma Core
Diploma:CSUT2


Partner Support
The Mobile Telephone Examination Board (MTEB) are pleased announce that Quantaq Solutions (http://www.quantaq.com/about.htm) have agreed to be the MTEB Diploma CSUT2 Partner. Quantaq Solutions role is as a "Partner Support". This role entails

- providing trial copies of software
- respond to technical enquiries that a student may require to make

to assist with the student's Diploma.

Moreover, Quantaq Solutions will host an MTEB webpage solely for use by MTEB Diploma Students so that students can have acess to the software and post questions to seek technical assistance.

Quantaq logoMTEB selected to work with Quantaq Solutions as a "Partner Support" because of their existing experience with (U)SIM/smart card examination tools, their range of independent, stand-alone tools to analyse (action commands/receive responses) on SIM/Smartcard and their highly regarded technical knowledge and experience in the fields of:

SIM, smartcards, NFC, RFID, M2M, location, DRM, security, cryptography, Mobile Wallet, technology, innovation, patents, technical design authority, standardisation, proof-of-concepts and software development

Gary Waite

Leading the "Partner Support" on behalf of Quantaq Solutions is Gary Waite. Gary is very well known in the mobile forensics arena for his work on the tools the (U)SIM forensic tools USIM Detective (USIM-D) and USIM Detective Professional (USIM-DP).

His experience and technical background further underpin his credentials of his expertise:
- Founder of Quantaq Solutions
- Past Vice Chair of the Smart Card Group GSM Association
- Test software supplier to Global Certification Forum (GCF) Field Trial Guidelines
- Authored the original ETSI GSM 11.17 standard. This standard formalised the core test processes and procedures for SIM Cards and remains at the heart of (U)SIM testing, programming and examination today.
- First to introduce recording in CUST File (EF) a particular handset's IMEI on SIM Card, which is important, evidentially
- Employed as Technology Manager for the last 11 years with a well know international Mobile Network Operator
- Skilled in C/C++/Java
- Holds a Degree from the University of Abertay Dundee - Electrical & Electronic Engineering, Electronic Engineering

Diploma:CSUT2
Free trial access to the following tools will be made available to Diploma Students. 

USIMdetective - http://www.quantaq.com/usimdetective.htm
USIMexplorer - http://www.quantaq.com/usimexplorer.htm
USIMexplorer - http://www.quantaq.com/usimcommander.htm
USIMprofiler - http://www.quantaq.com/usimprofiler.htm

Diploma for SIM and USIM Technology Examination
Mobile Telephone Diploma Core
Diploma:CSUT2


The latest MTEB Diploma Modules Guide is MTEdipl 2.2 can be downloaded here:
https://dl.dropboxusercontent.com/u/84491783/MTEdipl%202.2.pdf



Saturday, September 14, 2013

Blocked SIM

A regular question that arises, "is it possible to bypass a PIN blocked SIM card?"

For a quick solution it is best to go to the operator to obtain a PUK code where there has been 3 CHV1 attempts and access is now blocked.

If it is 10 CHV1 attempts and blocked ([unless you know and have the test tools to e.g. slow the card]) then the operator may request that you send it to them and they in turn (depending upon their security level) may need to send it to the (U)ICC producer / manufacturer.

Today's UICC (using improved silicon and security techniques) have significant security improvements within each operator's card where there are various levels of electronic counter-measures (traps doors/dead-man's trap etc). Many of us (including me) simply cannot access certain areas of the UICC unless a flaw in the security is discovered. Unless you are confident of what you know and what you are doing, my observation is take the safest route.


None of the opinions I express originate based upon my gut feeling about a particular matter. I research, like others, to establish the industry security protocols, practices and procedures and then consider the position from there. It is important to bare in mind that forensics and evidence is not about hacking everything in sight or writing a program to extract data but to be aware and comprehend how industry standard bodies intended security should be implement, which norms the manufacturer and operator follow and whether following implementation security flaws occur.


(U)SIM Examination (Physical) Pt2

(U)SIM Examination (Physical) Pt2

Before we can progress to consider various methods of (U)SIM physical examination there are more standards we need to be aware and there are reasons for that. Transitioning from GSM to 3GPP (*wcdma) standards required rewriting existing GSM standards to make the standards technology neutral to integrate GSM into future mobile developments under 3GPP global standards. Technology-wise, we know that GSM is a defined circuit-switched voice mobile communications system that has evolved with value-added data services (GPRS, HSCSD and EDGE). 3GPP (wcdma) as we know is a defined packet-switched technology and thus would be a pointless exercise to re-invent the wheel, so to speak, and introduce a new voice circuit-switched system and the matured installation base that went with it. That needs to be understood on many levels when dealing with mobile communications. Three examples of GSM and 3GPP working together:

(i) generally, we refer to Release 99 (R99) as a reference point whereby 3GPP could transition and re-write mobile communication technology standards with birthing-periods: GSM only before 3GPP Release 4 (Rel-4); GSM only (Rel-4 and later); 3GPP and beyond / GSM (R99 and later).  This enabled manufacturers, developers and operators and service providers to conintue with GSM standards in a pure GSM environment or evolve to a 3GPP environment but in the knowledge access and inter-connectivity to GSM would continue:

(ii) introduction of 3GPP (*wcdma) would take time and thus should avoid, as best possible, disruption to existing moble services;

(iii) GSM user/subscriber base was still growing at that time and has now reached over 3-billion users, from which we can draw a conclusion that GSM's importance in its relationship with 3GPP should not be under-estimated.GSM is by no means the junior partner.

In the mobile examination environment, we, as examiners, are exposed to multitude and multiple-layers of technical and technology standards many of which impact on (U)SIM, and particuarly so if the technical and technology generates a mobile communication outcome associated to/with a user/subscriber. 

(*) wcdma is one of a family of mobile technology standards under 3GPP and has been used for easy of reference. 

The scope of the tests and the requirements set down in GSM1117 were reproduced under the approved and adopted standard 3GPP TS51.017. In Pt1( usim-examination-physical-pt1.html ) reference was made to GSM11.11, however the approved and adopted standard (and the counterpart to GSM11.11) is 3GPP TS51.011:

PHY:    Physical characteristics - 3GPP TS 51.011 [1], clause 4.
ELEC:    Electronic signals and transmission protocols - 3GPP TS 51.011 [1], clause 5.
AFS:    Application and File structure - 3GPP TS 51.011 [1], clause 6.
SEC:    Security features - 3GPP TS 51.011 [1], clause 7.
CMD:    Description of the commands - 3GPP TS 51.011 [1], clause 9.
CEF:    Contents of the elementary files - 3GPP TS 51.011 [1], clause 10.
APP:    Application Protocol - 3GPP TS 51.011 [1], clause 11.

Whilst GSM11.17 standard is the starting point for ICC/SIM and 3GPP TS51.011 moved the technology to neutral ground to enable 3GPP to evolve 3G environment standards incorportating interconnectivity to and backward compatibility for ICC/UICC, the 3GPP evolution hasn't stopped there. There is, of course, 3GPP TS 31.120 the aim of which is to ensure interoperability between an UICC and a Terminal independently of the respective manufacturer, card issuer or operator. This is the expansion of the 3GPP domain going beyond specific limitations encumbent with a particular proprietory technology.

The run of standards doesn't end there. Attention and consideration should be given to:

ETSI standards
TS 102 230
TS 102 221

International standards
ISO/IEC 7816-pt1 to pt4

The standards referred to above are merely a starting point to identify the complexities involved in dealing with (U)SIM card and tasks involved in considering examination techniques that may not simply relate to recovery of data but other aspects and attributes of a card which may point to evidence. Readers should be prepared to delve into the standards above and release the huge number that haven't been mentioned. There are various analogies that may be used to imagine what I have in mind for this physical series, but I quite like the analogy about forensic vehicle tyre analysis. Evidentially, consideration is given to tyre size, tread, pressure, rubber, moulding, any wheel balacing and so on to assess a skid mark or tracks at the scene of a crime. It is equally possible to use an investigative and examination approach to SIM/USIM card materials, contacts, gold content, embossing etc to identify potential evidence.

(U)SIM Examination (Physical) Pt1

(U)SIM Examination (Physical) Pt1

We begin with GSM as this is the original starting place where examiners first learned about subscriber identity modules (SIM). There are many ways to learn about SIM: using a SIM reader tool is one way, receiving instruction during training that concentrates on the types of user and network data that can be harvested by examiners. An education and training process can equally include a training module or modules on the physical aspects of a card and identify, for the examiner, material parts of the SIM, the known routes to understanding electrical aspects, processing aspects, storage geometry and memory mapping, so on and so forth. The thinking here is analogous to the way in which there is an expectation that a computer examiner would understand HDD disc geometry, clusters and sectors, BIOS etc even before entering into the search and study of the 'content' that may be recorded on the disc. It is or should be the same for (U)SIM.

The SIM Card can be seen as a composition of at least three constituent parts:

- The physical card (the storage carrier).
- An integrated circuit card micro-processing chip (the operating system and content storage device).
- The subscriber identity module; an area of physical memory allocated at manufacturing for pre-market and post-market recording by the mobile network operator and SIM user.
 -  A fourth constituent part could be a Card with an etched antenna for RFID/NFC for use by (US)SIM (but this part is not included or discussed at this stage).
- etc

To enable test and inspection of these constituent parts GSM approved and adopted GSM11.17 to assist manufacturers, operators and service providers help formalise and uniform the test and inspection procedures rather than have a mish-mash of randomly selected tests for SIM cards submitted for use in GSM. The former is highly desirable as the goal of GSM has always be about interconnection-compatiblity and interconnection backward-compatibility. By way of illustration, a GSM SIM Card Phase 1 should still be able to be inserted into a GSM Phase 2+ mobile device and allow communications to take place, unless the operator or device manufacturer has declared and stated otherwise.

From an examiner's viewpoint we would desire to know how those three constituent parts translate to the work we do? Some examples are set out below

Physical Card
Due to the form factors used in GSM we can make assessment to determine the supply chain and manufacturer of the card itself. We look at the card to see if has been cut down for use and any attempts of anonymity by removal of the SIM Serial Number (SSN) compared to manufacture polarisation techniques. Later 3G/LTE USIM Cards have undergone some changes since GSM's inception; the latter will be dealt at a later date.


 Image courtesy of wikipedia - http://en.wikipedia.org/wiki/Subscriber_Identity_Module

ICC Chip
Manufacturer and technical specification are important to determine a range of potential evidence, including release into the marketplace and technological and electronic capability. Clearly the geometry and memory mapping are important. There are various techniques to deal with a card with a damaged chip. One example is called 'acid-etching' used to gain access to the physical chip itself by removal of the outer protective coverings used in the manufacturing process. 

 
  Image courtesy of wikipedia - http://en.wikipedia.org/wiki/Subscriber_Identity_Module

Physical Memory
Determining geometry and memory mapping forms part of the testing and inspection process set out in GSM1117. We can use these procedures to formulate a forensic analysis programme, similar to the way in which computer forensic examiners seek to determine specifically data discovered and recovered from a particular memory location on the HDD and define the data from its binary and encoded states and any formatting that may be applicable to the data. That being so, would it be out of the question in SIM examination terms for the EFBCCH file to be formatted as .bmp?  Below are a set of powerpoint slides I have prepared so that examiners can comprehend procedures approved and adopted for test and inspection for GSM SIM Cards. Later on when we 3G/LTE (U)SIM this GSM starting point assists formulate how to identify differences between the various (U)SIM/LTE cards but equally identify expansion of technology services and content so the examination limit or avoid omissions during the investigative/evidential process.      













































SIM Card Swap Fraud

This example is an extension of how man-in-the-middle-attack can work by using impersonation. By cloning Bure's SIM card the fraudsters were able to hack into the account, create a new beneficiary, which can be done only when the bank sends a client the one-time password via SMS, and transfer the money into several accounts. In this case the syndicate, armed with a fraudulent ID book in Bure's name, persuaded MTN to swap the Sim Card in Bure's absence. The Ubuntu project looks after orphaned and vulnerable children.
mtn-moves-to-prevent

PIN Enabled SIM Card

PIN Enabled SIM Card

A recent question raised the notion what data would be revealed if the SIM Card was read but had a PIN enabled. Using a free SIM Card reader the results are below. Do remember, using different readers their output can reveal different results dependent upon how the programmer wrote the software. The results are from an old Phase 2 GSM SIM Card.





Additional tests with the PIN Locked SIM Card conducted with different SIM Readers
















Considering Clone Test SIM Card Tools

Considering Clone Test SIM Card Tools

There have been a few mentions about clone test Sim Cards at this blog raising observations as to possible issues that may be useful to know.  

Yet further observations examiners may find useful to consider are whether it is necessary for a cloned test SIM Card tool to produce identical files, structure and format for every clone test card produced or whether the make/model of handset can influence e.g. the number of files etc necessary to gain access to a handset's memory? Cust_Files pre-generated on a cloned test card should be included or excluded from consideration regarding the number of GSM/3GPP EFs identified on a cloned test card? The importance, if any, of the evolution in a clone test card's development?

Below are two screen dumps, following examination using just one (U)SIM Card Reader, from two different clone test SIM Cards supplied by different manufacturer with their tools that provide a useful visual indicator when placed in context with the above observations. The observations above and the images below are not published to suggest a problem with a particular clone test SIM Card or tool. The observations are for the purpose should two different examiners use two different clone test SIM Cards and tools to generate evidence which one would be more pertinent for use when accessing memory on a particular handset etc?      





New SIM Card Exploit

On the 19th July 2013 I posted http://trewmte.blogspot.co.uk/2013/07/android-ddms-vulnerability.html about knowing exploits on and understanding originality and genuineness of a handset and (U)SIM Card.

Karsten Nohl on the 22nd July released details of an exploit for older type (no specifics as yet) SIM Cards using DES security. The exploit revealed a returned 'error code that contained the device's cryptographic signature, a 56-bit private key. It was then possible to decrypt the key using common cracking techniques.' http://www.theinquirer.net/inquirer/news/2283935/sim-card-encryption-exploit-leaves-mobile-phone-users-vulnerable-to-hacking

Importantly, the article goes on to identify possible exploits that may be caused when in possession of a decrypted key.

What isn't clear is whether the exploit leads to the creation of a cloned SIM Card that is operating live in the same network at the same time and whether the network detection techniques fail to pick that up?  That means not just detect (VLR/HLR) but take decisive action such as call tear down, blocking and suspending IMSI subscriber etc. 

Articles:
http://www.theinquirer.net/inquirer/news/2283935/sim-card-encryption-exploit-leaves-mobile-phone-users-vulnerable-to-hacking

http://nakedsecurity.sophos.com/2013/07/22/rooting-sim-cards-blackhat-speaker-says-he-may-be-able-to-own-your-phone-with-a-text-message/

http://thehackernews.com/2013/07/sim-card-cloning-hack-affect-750.html



For some background research materials specific to GSM SIM regarding Java servers and updating SIM OTA:
GSM 11.11
GSM 11.13 (Java Applets)
GSM 11.14 STK