SMS pwnage on MEELLIONS of flawed SIM cards, popular 4G modems

Bootkits for everyone!

A Russian research team has found vulnerabilities in millions of the world's SIM cards, and separate flaws in common 4G modem platforms. Together, the bugs could allow attackers to send crafted SMS text messages to gain access to critical systems and install malware on connected computers.

In one dramatic and hypothetical example, the research team of six from outfit SCADA StrangeLove showed how track switching mechanisms in the European Rail Traffic Management System could be altered by remote attackers targeting computers and devices on trains and tracks.

They found what fellow SRlabs researcher Karsten Nohl estimated was 'millions' of the world's SIM cards that could be impersonated by attackers who captured the users' Temporary International Mobile Subscriber Identity and decryption key (Kc), numbers that were designed to stop eavesdropping between devices and phone towers.

It built on Nohl's research last year that revealed SIM flaws could allow attackers to intercept calls and target wireless NFC applications like contactless payments through crafted text messages.

He found telcos had done little in the two months to September to fix the flaws. They now face further attack vectors in SIMs and mobile 4G dongles.

Attackers would need four flaws to align to take advantage of the remote Kc disclosure, including as Nohl explained to Vulture South:

  • A network that allowed binary SMS to reach the SIM card;
  • One of the millions of SIM cards that have an unprotected or weakly protected TAR;
  • The TAR allows execution of file system commands, and
  • An easily guessable SIM card PIN.

"Only if all four hold, can a decryption key (Kc) be queried remotely," Nohl explained of the work. "Given that there are billions of SIMs out there, the attack still affects many millions of them."

It was unknown if Australian SIMs were affected but antipodean modems were thought to be susceptible due to shared platforms, Gordeychik said.

"Vulnerabilities in modern SIM cards allows attackers to obtain important information which is enough to spoof a victim's identity – or 'clone' a phone in a network – or to decrypt traffic by two special crafted SMS messages," Gordeychik said in an email.

Attackers could also cause mass denial of service by entering incorrect PINs and PUKs on targeted SIM cards.

The SCADA StrangeLove team were further able to remotely install malicious applications on 4G modem cards to then update firmware, change passwords on the web management portal, and even gain access to the internal networks of telcos.

They found crafted text messages sent to vulnerable 4G modems could allow attackers to install bootkits on machines connected using modem dongles by reprogramming the devices to serve as storage and human interface devices (HIDs).

"Advanced attacks allow attackers to reprogram 4G modems remotely, sometimes via SMS, making them act as a HID and storage device to emulate key presses, reboot connected laptop and install bootkits," Gordeychik said.

Separate findings included 550 GPRS Tunnelling Protocol hosts, mostly gateway GPRS support nodes, connected to the internet that allowed attackers to emulate serving GPRS support nodes to establish GPRS connections over the internet.

The attacks were presented at security conferences PacSec and ZeroNights, and are to be explained in an upcoming paper affected a host of systems including supervisory control and data acquisition (SCADA) machines, ATMs and various Internet of Things devices.

Attackers could use tools including the modified open source software Osmocombb, Calypso based phones (pdf) or online SMS gateways.

Fixing the vectors was not simple. Gordeychik said telcos were the only entities that could push vendors to fix vulnerable SIMs and modems by following secure coding practice, while CERTs were responsible for internet infrastructure issues like the GPRS Tunneling Protocol.

The research team of Gordeychik; Alexey Osipov; Timur Yunusov; Alexander Zaitsev; Gleb Gritsai; Kirill Nesterov, and Dmitry Sklyarov tested more than 100 SIM cards and 'dozens' of 4G USB modems purchased across Europe, the Middle East and the US, and reported their findings to telcos, device vendors and computer emergency response teams including Japan's CERT. ®

Similar topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022