Project

General

Profile

Wiki » History » Revision 10

Revision 9 (Anonymous, 12/23/2013 07:57 PM) → Revision 10/29 (Anonymous, 12/25/2013 03:36 PM)

h2. SIMtester 

 The provided tools assess SIM card security in two dimensions: 

 * *Cryptanalytic attack surface.* Collect cryptographic signatures and encryptions of known plaintexts 

 * *Application attack surface.* Generate a list of all application identifiers (TAR) and find "unprotected" (MSL(Minimum Security Level)=0) applications 

 h3. Requirements 

 * Java 1.7 (code can be easily tweaked to compile under Java 1.6 or even lower if needed) 
 * PC/SC reader (via pcsc daemon) –or– 
 * Osmocom phone (via libosmosim) 

 h3. Download 

 Pre-compiled .jar TODO 
 Source Code TODO 
 Live System TODO 

 

 h3. Instructions 

 # Download 
 # unpack 
 # run: TODO call 
 * TODO command line parameters 

 h4. Running SIMTester on LiveISO 

 h4. Running SIMTester by hand 

 h5. General options 

 | command line option | description | 
 |*@-vp, --verify-pin <pin>@*|verifies the PIN, works for CHV1| 
 |*@-sp, --skip-pin@*|skips verification of a PIN and ignore permission errors (may produce incomplete results!)| 
 |*@-dp, --disable-pin <pin>@*|disables PIN, works for CHV1 (ideal for testing cards so no PIN database in needed)| 
 |*@-tf, --terminal-factory <PCSC/OsmocomBB>@*|what are you using as SIM card reader| 
 |*@-ri, --reader-index <index of a reader>@*|multiple PC/SC readers can be connected, first is 0| 

 h5. SIMTester contains 3 main functionalities: 

 h5. Fuzzer 

 Has its own intelligent logic, fuzzes ~120 chosen TARs, is divided into 3 modes: 
 * Full fuzzing (default) - all 15 keysets with all 16 fuzzing mechanisms 
 * Quick fuzzing (-qf option) - keysets 1 to 6, only 4 most successful fuzzing mechanisms 
 * Poke the card (-poke option) - same as quick fuzzing but only fuzzes 3 most common TARs (000000, B00001, B00010) 

 Custom keysets and TARs can be specified via *-t* and *-k* parameters (space being a delimiter between multiple values). 

 h5. TAR Scanner 

 Scans for valid TAR(Toolkit Application Reference) values by sending messages to them, has 2 modes: 
 * Full scan (-st option) - scans for all possible TAR values (0x000000 - 0xFFFFFF) - may take a few hours or several days depending on your SIM card speed 
 * Ranged scan (-str option) - scans for valid TAR values in pre-specified ranges to optimise the scanning duration 

 A starting value for Full scan can be specified using *-t* option. 
 A keyset used for sending messages can be specified using *-k* option (for both Full and Ranged scans). 

 Tip: run fuzzer first, see what keysets seem responsive (give answers other than none) and use one of those for TAR scanning, because if you use an inactive keyset it's very probable the card will NOT answer even on a valid TAR which makes TAR scanning non-functional. 

 h5. APDU Scanner 

 Scans for valid APDU(Application Protocol Data Unit) values (think of APDUs as of commands to the card) on TARs without any public APDU reference, it has 2 modes: 
 * LEVEL 1 scan (performed automatically after *Fuzzer* finishes and has found unprotected TARs with responses) - only scans for valid CLA(Class) 0x00 - 0xFF - it is performed via OTA(Over The Air) messages. 
 * LEVEL 2 scan (-sa option) - scans for both CLA(Class) 0x00 - 0xFF and INS(Instruction) 0x00 - 0xFF - it is performed locally on card I/O on initially selected application 








 h3. Dependencies 

 Software uses several libraries, if compiled from source the following libraries are needed: 

 * "Apache Common CLI 1.3":http://commons.apache.org/proper/commons-cli/ 
 * "CombinatoricsLib 2.0":https://code.google.com/p/combinatoricslib/ 
 * SIMLibrary - available in the git along with SIMTester 

 h3. Mailing list 

 A public mailing list for announcements and discussion can be found "here":https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec