Project

General

Profile

Wiki » History » Version 28

Luca, 09/27/2019 07:21 PM

1 24 Philipp
{{toc}}
2 2 Karsten
3 24 Philipp
h1. SIMtester
4 1 Karsten
5 24 Philipp
SIMtestes assess SIM card security in two dimensions:
6
7 1 Karsten
* *Cryptanalytic attack surface.* Collect cryptographic signatures and encryptions of known plaintexts
8
9 9 Anonymous
* *Application attack surface.* Generate a list of all application identifiers (TAR) and find "unprotected" (MSL(Minimum Security Level)=0) applications
10 1 Karsten
11 24 Philipp
h2. Overview
12 1 Karsten
13 28 Luca
The current version (v.1.9) introduces a lot of new, useful features:
14 1 Karsten
15 28 Luca
| Feature                                          |Version *1.5*|Version *1.8.1*|Version *1.9*|
16
| PIN disable/verify/skip                          | yes         | yes           | yes   |
17
| Fuzzer                                           | yes         | yes           | yes   |
18
| APDU scanner                                     | yes         | yes           | yes   |
19
| TAR scanner                                      | yes         | yes           | yes   |
20
| OTA-Passthrough-Fuzzer                           | no          | yes           | yes   |
21
| OTA-APDU scanner                                 | no          | yes           | yes   |
22
| File Scanner                                     | no          | yes           | yes   |
23
| Fuzzing with constants                           | no          | yes           | yes   |
24
| 2G fallback                                      | no          | yes           | yes   |
25
| Test for S@T vulnerability                       | no          | no            | *yes* |         
26
| Test for WIB vulnerability                       | no          | no            | *yes* |         
27 24 Philipp
28
Improvements:
29
30 28 Luca
* *Test for S@T/WIB vulnerabilities* These SIM applications could be abused to retrieve user location, send SMS or start a call if the security settings are not properly set
31
* *New SPI fuzzer settings* A special test case with all security fields set to zero has been defined
32
* *New OTA fuzzer settings* A special test case for no UDH has been added to the OTA fuzzer
33 24 Philipp
34
h2. Install
35
36
h3. Prerequisites
37
38 28 Luca
* Java 1.7+ (code can be easily tweaked to compile under Java 1.6 or even lower if needed)
39 21 Peter
* PC/SC reader (via pcsc daemon) –or–
40 1 Karsten
* Osmocom phone (via libosmosim)
41
42 21 Peter
h3. Download
43 10 Anonymous
44 28 Luca
# "Pre-compiled .jar with libraries":https://opensource.srlabs.de/attachments/180/SIMTester_v1.9.zip
45 19 Peter
# "Live-System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live
46
47 1 Karsten
h3. Source code
48
49 24 Philipp
SIMTester is a GPL-licensed Java application (JAR archive), both sources and binaries are accessible under SIMTester GIT.
50 23 Philipp
51 1 Karsten
<pre> git clone https://opensource.srlabs.de:/git/SIMtester.git</pre>
52
53 24 Philipp
h2. Running SIMtester
54 11 Anonymous
55 24 Philipp
h3. Run from LiveISO
56 11 Anonymous
57 1 Karsten
Choose "Run Test" -> "SIM" from main menu, follow instructions.
58
59 24 Philipp
h3. Run pre-compiled binary
60 1 Karsten
61 28 Luca
Unpack: <pre> unzip SIMTester_v1.9.zip</pre>
62 1 Karsten
63
<pre>
64
java -jar SIMTester.jar <arguments>
65
</pre>
66
67 24 Philipp
In case Java has problems to find the libpcsclite shared object, just submit the path manually:
68 1 Karsten
69 24 Philipp
<pre>
70
java -Dsun.security.smartcardio.library=/lib/x86_64-linux-gnu/libpcsclite.so.1 -jar SIMTester.jar <arguments>
71
</pre>
72
73
h3. Compile SIMtester
74
75
Software uses several libraries, if compiled from source the following libraries are needed:
76
77
* "Apache Common CLI 1.3":http://commons.apache.org/proper/commons-cli/
78
* "Apache HttpClient 4.3.x":http://hc.apache.org/
79
* "CombinatoricsLib 2.0":https://code.google.com/p/combinatoricslib/
80
* A functional PC/SC daemon and a compatible cardreader
81
* SIMLibrary - available in the git along with SIMTester
82
83
Compile from source with:
84
TODO
85
86
h4. General options
87
88 10 Anonymous
| command line option | description |
89
|*@-vp, --verify-pin <pin>@*|verifies the PIN, works for CHV1|
90 1 Karsten
|*@-sp, --skip-pin@*|skips verification of a PIN and ignore permission errors (may produce incomplete results!)|
91
|*@-dp, --disable-pin <pin>@*|disables PIN, works for CHV1 (ideal for testing cards so no PIN database in needed)|
92
|*@-tf, --terminal-factory <PCSC/OsmocomBB>@*|what are you using as SIM card reader|
93
|*@-ri, --reader-index <index of a reader>@*|multiple PC/SC readers can be connected, first is 0|
94 24 Philipp
|*@-2g, --2g-cmds@*|Use 2G APDU format only|
95
|*@-la, --list-all@*|Try to connect to all readers and show info about cards in them|
96
|*@-nl, --no-logging@*|Skip the CSV logging|
97 1 Karsten
|*@-gsmmap, --gsmmap@*|Automatically contribute data to gsmmap.org|
98
99 24 Philipp
h4. Fuzzer
100 1 Karsten
101
Has its own intelligent logic, fuzzes ~120 chosen TARs, is divided into 3 modes:
102
* Full fuzzing (default) - all 15 keysets with all 16 fuzzing mechanisms
103
* Quick fuzzing (-qf option) - keysets 1 to 6, only 4 most successful fuzzing mechanisms
104
* Poke the card (-poke option) - same as quick fuzzing but only fuzzes 3 most common TARs (000000, B00001, B00010)
105
Custom keysets and TARs can be specified via *-t* and *-k* parameters (space being a delimiter between multiple values).
106
107 24 Philipp
In addition to this the user has the option to keep certain bytes constant during fuzzing:
108 1 Karsten
109 24 Philipp
| command line option | description |
110
|*@-kic, --kic <arg>@*|Overwrites KIC byte in all fuzzer messages to a custom value|
111
|*@-kid, --kid <arg>@*|Overwrites KID byte in all fuzzer messages to a custom value|
112
|*@-spi1, --spi1 <arg>@*|Overwrites SPI1 byte in all fuzzer messages to a custom value|
113
|*@-spi2, --spi2 <arg>@*|Overwrites SPI2 byte in all fuzzer messages to a custom value|
114
115
OTA messages are delivered over SMS with standard PID, DCS, UDHI, IEI/CPH parameters. Service providers usually will filter OTA messages by their parameters and will usually comply with the standard to make up their filter rules. Using the OTA-Passthrough fuzzer functionality, the user can check if there are alternative, undocumented parameters which can be used to get the OTA message through. If undocumented parameter constellations are found, its very likely that they are not filtered by the service provider, which would be a weakness.
116
117
| command line option | description |
118
|*@-of, --ota-fuzz@*|Fuzz OTA passthrough (PID, DCS, UDHI, IEI/CPH)|
119
|*@-ofbf, --ota-fuzz-bruteforce@*|Use 0-255 values for both PID and DCS, without this options only most common values are used.|
120
121
The response handling of OTA-Messages can be implemented in two different ways. The backend either expects an additional user data field in the SMS-DELIVER-REPORT or waits for an incoming SMS that the card issues (SMS-SUBMIT) after completing the requested operation. The user can use the following option to choose between these to methods:
122
123
| command line option | description |
124
|*@-sdr, --sms-deliver-report@*|Use SMS-DELIVER-REPORT instead of SMS-SUBMIT for PoR|
125
126
h4. TAR Scanner
127
128
Scans for valid TAR(Toolkit Application Reference) values by sending messages to them, has 3 modes:
129 10 Anonymous
* Full scan (-st option) - scans for all possible TAR values (0x000000 - 0xFFFFFF) - may take a few hours or several days depending on your SIM card speed
130
* Ranged scan (-str option) - scans for valid TAR values in pre-specified ranges to optimise the scanning duration
131
132 24 Philipp
In addition to the scan type, some options can be specified:
133
- Smart TAR scan (scan a few random TARs to determine false response, option -stbs)
134
- Use a specified REGEXP to match response for false positives (option -stre)
135
Normally false responses should be constant (PoR status or status word), but there are corner cases in which also false responses might contain variable data.
136
137 10 Anonymous
A starting value for Full scan can be specified using *-t* option.
138 16 Anonymous
A keyset used for sending messages can be specified using *-k* option (for both Full and Ranged scans).
139
140 1 Karsten
Tip: run fuzzer first, see what keysets seem responsive (give answers other than none) and use one of those for TAR scanning, because if you use an inactive keyset it's very probable the card will NOT answer even on a valid TAR which makes TAR scanning non-functional.
141 16 Anonymous
142 1 Karsten
h5. APDU Scanner
143
144
Scans for valid APDU(Application Protocol Data Unit) values (think of APDUs as of commands to the card) on TARs without any public APDU reference, it has 2 modes:
145 24 Philipp
* LEVEL 1 scan (performed automatically after *Fuzzer* finishes and has found unprotected TARs with responses) - only scans for valid CLA(Class) 0x00 - 0xFF - it is performed via OTA(Over The Air) messages. Can also be invoked manually (option -sa)
146
* LEVEL 2 scan (option -sa -sal2) - scans for both CLA(Class) 0x00 - 0xFF and INS(Instruction) 0x00 - 0xFF - it is performed locally on card I/O on initially selected application
147 1 Karsten
148 24 Philipp
h4. Using OsmocomBB phone as a SIM reader
149 1 Karsten
150
This requires a patched firmware and a libosmosim.so library. Patched sources can be found in luca/libosmosim branch in OsmocomBB git tree:
151
152
<pre>
153
git clone git://git.osmocom.org/osmocom-bb.git
154 16 Anonymous
cd osmocom-bb/
155
git checkout luca/libosmosim
156
</pre>
157
158
once compiled use the *@layer1.compalram.bin@* firmware and copy *@libosmosim.so@* (@layer23/src/libosmosim/.libs/@) to your java.library.path folder (usually @/usr/lib/jni/@ on Linux).
159 1 Karsten
160
then just use *@-tf OsmocomBB @* to turn your Osmocom phone into a SIM card reader for SIMTester.
161 16 Anonymous
162 24 Philipp
h4. File Scanner
163 1 Karsten
164 24 Philipp
Automatically scans the files present on the SIM. This option can be used to detect non standard, proprietary files on the SIM. The scanner will start at 3F00 and automatically skips reserved values. The user has the option to add additional reserved values in order to skip files in case of problems. It is also possible to run the scanner in standard-scan-mode where only standard files are checked for their presence.
165
166
| command line option | description |
167
|*@-sf, --scan-files@*|Scans files on the SIM, starts at MF (0x3F00)|
168
|*@-sfb, --scan-files-break@*|Use with -sf, stop scanning directory when the count returned by Select APDU matched count of found files|
169
|*@-sffs, --scan-files-follow-standard@*|Use with -sf, only search for IDs that are standardized, eg. 3rd level files only between 4F00 and 4FFF etc.|
170
|*@-sfrv, --sfrv <sfrv>@*|File scanning: Add a file ID(s) to reserved values for file scanning (will be skipped).|
171
172
h2. Contribute
173
174
h3. Upload to gsmmap.org
175
176 17 Anonymous
a new option *@-gsmmap@* has been introduced in version 1.5 in order to provide upload functionality to gsmmap.org even for users not using the "Live-System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live
177
178
Tor can be also used by specifying:
179 7 Anonymous
180 1 Karsten
<pre>
181 7 Anonymous
java -jar SIMTester.jar -gsmmap -socksProxyHost=127.0.0.1 -socksProxyPort=<tor_port> ... other options ...
182
</pre>
183
184 17 Anonymous
If you already have scanned your cards *without @-gsmmap@* option, you can use the web form here: http://gsmmap.org/upload.html to upload your CSV results SIMTester provided.
185 8 Anonymous
186
187 1 Karsten
188 7 Anonymous
h3. Mailing list
189 5 Karsten
190 24 Philipp
A public mailing list for announcements and discussion is found "here":https://lists.srlabs.de/cgi-bin/mailman/listinfo/simsec
191
Feel free to post your questions, observations, or results.