Tuesday, September 28, 2010

GSM Mobile hacking - Using SIM Cloning!

GSM Mobile hacking - Using SIM Cloning!

 Let's talk about the fun stuff. The first trick I will discuss is an activity that is becoming quite prevalant, SIM cloning. If you have paid attention to any cell phone related tutorials in the past, then you may remember cloning being made popular by certain public figures like Kevin Mitnick in order to place calls on the bill of another subscriber. Well, even with GSM this trick still holds relevant. How could such a flaw exist in a system that is obviously concentrated on preventing such fraudulant use? The flaw is within the COMP128 authentication algorithm used as an instantiation of A3/A8 widely used by gsm providers. Unfortunately for these providers, the COMP128 algorithm is just not strong enough to prevent fraud. We attack the algorithm by using a chosen-challenge attack, which works by forming a number of specially-chosen challenges and querying the SIM card for each one. Then by analyzing the responses from these queries, we are able to determine the value of the secret key that is used for authentication. So how do we perform this attack?

Well there are a few things you need before you start. First you will need to buy a SIM card reader, a card programmer, empty silver pic 2 card, and an unregulated adapter, and if you don't have one a 9 pin male to female extension cable. You can probably put a bid on ebay for most of this hardware, or just google up some sites that sell them. You will also need some software for this trick. First you will need a SIM card editor. An excellent piece of software to use in this instance is Cardinal Sim Editor, which you can find (including the crack for it) at the below link...

 http://www.cracksweb.com/news.php?go=824

Another tool you will is CardMaster, which once again you can find at the below link...

http://cardmaster.dk/download2.php

Finally what you will need is a SIM card emulator. An excellent example of an emulator to use is SIMEMU, which you can find at the below link...

http://simemu.cjb.net/

Note for those of you who feel the need to read the instructions on the site, just go to www.freetranslation.com to translate the web page from Spanish to English. Now let's go ahead and get started shall we. You will first want to plug your SIM Reader into your com port. Then run Cardinal and then click where it says "Click Here" and then click Settings. You will then select your com/serial port and the baud rate. Then you will close this out, and then left click where it says "Click Here", go to smartcard, and click SIM editor. The program will from there start up, and you will go to SIM, then SIM Info, and click the load button. After doing this you will see the IMSI code, take note of this code as you will need it. Now close the SIM Info and go to Security/Find key KI. When this window opens just click Start and wait. It will take approximately 4 hours to find the key. Once it is found take note of this KI and exit. Now you should have the IMSI and KI noted, if so lets continue with the next step. Now take your silver card. Within the unzipped file within you will find two files. SEE50s.hex (EEPROM) and SEF50sEN.hex (PIC). Now connect your programmer to a com port and go to the setup menu on your CardMaster program and choose the appropriate com port. You should then see a yellow rectangle at the bottom of the program that says that there is no card. Now insert your smartcard into the programmer, and the rectangle should change to green and you will see "Card ready". Now go to where it says "Card type:" and select "Silvercard". NOw go to the "File to Pic:" field and upload SEF50sEN.hex, then go to the "File to Eeprom:" field and upload SEE50s.hex. Now go to Edit and click "Auto Program". Now once this is finished you will need to cut the card so that it will fit into the phone. Instructions for how the card needs to be cut is provided on the GSM solutions web site that will be listed in the Sites to Visit section at the bottom of this page. Now insert the newly cut silvercard into the phone. If it asks for
. If it asks for a pin just punch in 111. Then from the main menu open up "Sim-Emu". Now from this menu go to Set Phone #, then -GSM #1 (or any slot), then Configure, then Edit #. Now edit GSM #X to any name, and then press ok. Now go to Config.Pos. and it will ask for PIN2, which will be 1234. It will then ask you what position you want the card to be, choose Position 1. It will then ask you for the IMSI, which you will punch in the IMSI you got from Cardinal. It will then ask you for the KI, which again you punch in the KI you got from Cardinal. It will then ask you to enter your PUK which can be anything up to 8 digits. Then it will ask you to enter your PIN which can be anything up to 4 digits. There you go, now you have cloned another SIM card, and are now free to call away all you want to on someone elses bill. There have also been rumors that on certain services there are ways to clone a SIM remotely, but none have been tested so this can't be proven. So now that we're finished talking about SIM cloning, let's get into another trick involving exploiting gsm phones, bluejacking. What is bluejacking you ask? Bluejacking is exploiting the BlueTooth wireless communication system common among PDAs, cell phones, and of course laptops. In essense this is nothing more than a harmless little prank, similar to defacing web sites. For bluejacking gsm phones what we are trying to do is first create a phonebook contact that says something like "haha I haxor3d j00r ph0n3!", and then send it to any bluetooth enabled device in the facinity. This in essense amounts up to at most a harmless little prank, but it's fun to watch their faces when they get the message. However, I won't bother explaining the details of how to bluejack, since the methods are models and manufacturer dependant, and are explained on a site that will be listed at the bottom of this tutorial. Don't believe that the possibilities for exploiting bluetooth enabled gsm phones ends there though. Another activity that we can jump onto is called bluebugging.

Bluebugging is the process of sniffing out communication from a bluetooth-enabled cell phone. Like, for example, sms messages. Yup, now you can sit in a coffee shop, open up your laptop, and spy on everyone else who is using their phone. This concept was first introduced to the world in a presentation at DefCon 11, and is now available to the public in the form of a tool called BlueSniff that works as a bluetooth wardriving utility to play big brother. Go to the below address to get a copy of this tool...

http://bluesniff.shmoo.com/bluesniff-0.1.tar.gz

Another nice tool to use for such means is btscanner, which can be used to gather as much information as possible on a bluetooth-enabled device. Yet again, this wonderful tool can be found at the below address...

http://www.pentest.co.uk/src/btscanner-1.0.tar.gz

(Warning do it ur known risk)

 

No comments:

Post a Comment