Project

General

Profile

SIMtester

SIMtestes assess SIM card security in two dimensions:

  • Cryptanalytic attack surface. Collect cryptographic signatures and encryptions of known plaintexts
  • Application attack surface. Generate a list of all application identifiers (TAR) and find "unprotected" (MSL=0) applications

Overview

The current version (v.1.8.1) introduces a lot of new, useful features:

Feature Version 1.5 Version 1.8.1
PIN disable/verify/skip yes yes
Fuzzer yes yes
APDU scanner yes yes
TAR scanner yes yes
OTA-Passthrough-Fuzzer no yes
OTA-APDU scanner no yes
File Scanner no yes
Fuzzing with constants no yes
2G fallback no yes

Improvements:

  • Configurable OTA-Response handling The user can now choose how the reply to OTA-Messages should be handled. Its possible to choose between SMS-DELIVER-REPORT (option -sdr) or SMS-SUBMIT (default)
  • OTA-Passthrough-Fuzzer The OTA-Fuzzing functionality has been extended. The fuzzer can try vary the OTA message parameters (PID, DCS, UDHI, IEI/CPH) in order to find alternate configurations that let the message through
  • File Scanner Some cards might contain proprietary files in addition to the standardized files. The filescanner allows the user to scan for hidden files in the cards file system. Its also possible just to check the standard files for their presence
  • Fuzzing with constants Its now possible to keep the KIC, KID, SPI1, SPI2 bytes constant while fuzzing
  • APDU-Scanner Its now also possible to scan for instructions (INS) instead of classes (CLA)
  • Multi-reader handling Its now possible to iterate multiple card readers (option -la) to gather the card info faster
  • 2G Fallback In rare cases, some cards might react problematic when the 3G APDU format is used. In case of problems the user can now decide to use the 2g APDU format only

Install

Prerequisites

  • Java 1.7 (code can be easily tweaked to compile under Java 1.6 or even lower if needed)
  • PC/SC reader (via pcsc daemon) –or–
  • Osmocom phone (via libosmosim)

Download

  1. Pre-compiled .jar with libraries
  2. Live-System

Source code

SIMTester is a GPL-licensed Java application (JAR archive), both sources and binaries are accessible under SIMTester GIT.

 git clone https://opensource.srlabs.de:/git/SIMtester.git

Running SIMtester

Run from LiveISO

Choose "Run Test" -> "SIM" from main menu, follow instructions.

Run pre-compiled binary

Unpack:

 unzip SIMTester_v1.8.1.zip

java -jar SIMTester.jar <arguments>

In case Java has problems to find the libpcsclite shared object, just submit the path manually:

java -Dsun.security.smartcardio.library=/lib/x86_64-linux-gnu/libpcsclite.so.1 -jar SIMTester.jar <arguments>

Compile SIMtester

Software uses several libraries, if compiled from source the following libraries are needed:

Compile from source with:
TODO

General options

command line option description
-vp, --verify-pin <pin> verifies the PIN, works for CHV1
-sp, --skip-pin skips verification of a PIN and ignore permission errors (may produce incomplete results!)
-dp, --disable-pin <pin> disables PIN, works for CHV1 (ideal for testing cards so no PIN database in needed)
-tf, --terminal-factory <PCSC/OsmocomBB> what are you using as SIM card reader
-ri, --reader-index <index of a reader> multiple PC/SC readers can be connected, first is 0
-2g, --2g-cmds Use 2G APDU format only
-la, --list-all Try to connect to all readers and show info about cards in them
-nl, --no-logging Skip the CSV logging
-gsmmap, --gsmmap Automatically contribute data to gsmmap.org

Fuzzer

Has its own intelligent logic, fuzzes ~120 chosen TARs, is divided into 3 modes:
  • Full fuzzing (default) - all 15 keysets with all 16 fuzzing mechanisms
  • Quick fuzzing (-qf option) - keysets 1 to 6, only 4 most successful fuzzing mechanisms
  • Poke the card (-poke option) - same as quick fuzzing but only fuzzes 3 most common TARs (000000, B00001, B00010)
    Custom keysets and TARs can be specified via -t and -k parameters (space being a delimiter between multiple values).

In addition to this the user has the option to keep certain bytes constant during fuzzing:

command line option description
-kic, --kic <arg> Overwrites KIC byte in all fuzzer messages to a custom value
-kid, --kid <arg> Overwrites KID byte in all fuzzer messages to a custom value
-spi1, --spi1 <arg> Overwrites SPI1 byte in all fuzzer messages to a custom value
-spi2, --spi2 <arg> Overwrites SPI2 byte in all fuzzer messages to a custom value

OTA messages are delivered over SMS with standard PID, DCS, UDHI, IEI/CPH parameters. Service providers usually will filter OTA messages by their parameters and will usually comply with the standard to make up their filter rules. Using the OTA-Passthrough fuzzer functionality, the user can check if there are alternative, undocumented parameters which can be used to get the OTA message through. If undocumented parameter constellations are found, its very likely that they are not filtered by the service provider, which would be a weakness.

command line option description
-of, --ota-fuzz Fuzz OTA passthrough (PID, DCS, UDHI, IEI/CPH)
-ofbf, --ota-fuzz-bruteforce Use 0-255 values for both PID and DCS, without this options only most common values are used.

The response handling of OTA-Messages can be implemented in two different ways. The backend either expects an additional user data field in the SMS-DELIVER-REPORT or waits for an incoming SMS that the card issues (SMS-SUBMIT) after completing the requested operation. The user can use the following option to choose between these to methods:

command line option description
-sdr, --sms-deliver-report Use SMS-DELIVER-REPORT instead of SMS-SUBMIT for PoR

TAR Scanner

Scans for valid TAR values by sending messages to them, has 3 modes:
  • Full scan (-st option) - scans for all possible TAR values (0x000000 - 0xFFFFFF) - may take a few hours or several days depending on your SIM card speed
  • Ranged scan (-str option) - scans for valid TAR values in pre-specified ranges to optimise the scanning duration

In addition to the scan type, some options can be specified:
- Smart TAR scan (scan a few random TARs to determine false response, option stbs)
Use a specified REGEXP to match response for false positives (option -stre)
Normally false responses should be constant (PoR status or status word), but there are corner cases in which also false responses might contain variable data.

A starting value for Full scan can be specified using -t option.
A keyset used for sending messages can be specified using -k option (for both Full and Ranged scans).

Tip: run fuzzer first, see what keysets seem responsive (give answers other than none) and use one of those for TAR scanning, because if you use an inactive keyset it's very probable the card will NOT answer even on a valid TAR which makes TAR scanning non-functional.

APDU Scanner
Scans for valid APDU values (think of APDUs as of commands to the card) on TARs without any public APDU reference, it has 2 modes:
  • LEVEL 1 scan (performed automatically after Fuzzer finishes and has found unprotected TARs with responses) - only scans for valid CLA 0x00 - 0xFF - it is performed via OTA messages. Can also be invoked manually (option -sa)
  • LEVEL 2 scan (option -sa -sal2) - scans for both CLA 0x00 - 0xFF and INS 0x00 - 0xFF - it is performed locally on card I/O on initially selected application

Using OsmocomBB phone as a SIM reader

This requires a patched firmware and a libosmosim.so library. Patched sources can be found in luca/libosmosim branch in OsmocomBB git tree:

git clone git://git.osmocom.org/osmocom-bb.git
cd osmocom-bb/
git checkout luca/libosmosim

once compiled use the layer1.compalram.bin firmware and copy libosmosim.so (layer23/src/libosmosim/.libs/) to your java.library.path folder (usually /usr/lib/jni/ on Linux).

then just use -tf OsmocomBB to turn your Osmocom phone into a SIM card reader for SIMTester.

File Scanner

Automatically scans the files present on the SIM. This option can be used to detect non standard, proprietary files on the SIM. The scanner will start at 3F00 and automatically skips reserved values. The user has the option to add additional reserved values in order to skip files in case of problems. It is also possible to run the scanner in standard-scan-mode where only standard files are checked for their presence.

command line option description
-sf, --scan-files Scans files on the SIM, starts at MF (0x3F00)
-sfb, --scan-files-break Use with -sf, stop scanning directory when the count returned by Select APDU matched count of found files
-sffs, --scan-files-follow-standard Use with -sf, only search for IDs that are standardized, eg. 3rd level files only between 4F00 and 4FFF etc.
-sfrv, --sfrv <sfrv> File scanning: Add a file ID to reserved values for file scanning (will be skipped).

Contribute

Upload to gsmmap.org

a new option -gsmmap has been introduced in version 1.5 in order to provide upload functionality to gsmmap.org even for users not using the Live-System

Tor can be also used by specifying:

java -jar SIMTester.jar -gsmmap -socksProxyHost=127.0.0.1 -socksProxyPort=<tor_port> ... other options ...

If you already have scanned your cards without -gsmmap option, you can use the web form here: http://gsmmap.org/upload.html to upload your CSV results SIMTester provided.

Mailing list

A public mailing list for announcements and discussion is found here
Feel free to post your questions, observations, or results.

SIMtester_v1.8.1.zip (4.11 MB) Philipp, 02/04/2016 11:44 AM