SIM cards are all around us, and with the continuing growth of the Internet of Things, spawning technologies like NB-IoT, this might as well be very literal soon. But what do we really know about them, their internal structure, and their communication protocols? And by extension, their security? To shine some light on these questions, open source and mobile device titan [LaForge] gave an introductory talk about SIM card technologies at the 36C3 in Leipzig, Germany.
Starting with a brief history lesson on the early days of cellular networks based on the German C-Netz, and the origin of the SIM card itself, [LaForge] goes through the main specification and technology parts of each following generation from 2G to 5G. Covering the physical basics, I/O interfaces, communication protocols, and the file system located on the SIM card, you’ll get the answer to “what on Earth is PIN2 for?” along the way.
Of course, a talk like this, on a CCC event, wouldn’t be complete without a deep and critical look at the security side as well. Considering how over-the-air updates on both software and — thanks to mostly running Java nowadays — feature side are more and more common, there certainly is something to look at.
Continue reading “36C3: SIM Card Technology From A To Z”
Many moons ago, in the shadowy darkness of the 1990s, a young Lewin visited his elder cousin. An adept AMOS programmer, he had managed to get his Amiga 500 to control an RC car, with little more than a large pile of relays and guile. Everything worked well, but there was just one problem — once the car left the room, there was no way to see what was going on.
Why don’t you put a camera on it? Then you can drive it anywhere!
This would go on to inspire the TKIRV project approximately 20 years later. The goal of the project is to build a rover outfitted with a camera, which is controllable over cellular data networks from anywhere on Earth. For its upcoming major expedition, the vehicle is to receive solar panels to enable it to remain operable in distant lands for extended periods without having to return to base to recharge.
The project continues to inch towards this goal, but as the rover nears completion, the temptation to take it out for a spin grew ever greater. What initially began as an exciting jaunt actually netted plenty of useful knowledge for the rover’s further development.
Continue reading “A 4G Rover And The Benefits Of A Shakedown Mission”
Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.
When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.
The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.
A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.
Via [The Register]
Header image: MOs810 [CC BY-SA 4.0].
Oh, boy. You know what’s happening next weekend? The Midwest RepRap Festival. The greatest 3D printing festival on the planet is going down next Friday afternoon until Sunday afternoon in beautiful Goshen, Indiana. Why should you go? Check this one out. To recap from last year, E3D released a new extruder, open source filaments will be a thing, true color filament printing in CMYKW is awesome, and we got the world’s first look at the infinite build volume printer. This year, The Part Daddy, a 20-foot-tall delta bot will be there once again. It’s awesome and you should come.
We launched the 2018 Hackaday Prize this week. Why should you care? Because we’re giving away $200,000 in prizes. There are five challenges: the Open Hardware Design Challenge, Robotics Module, Power Harvesting, Human-Computer Interface, and Musical Instrument Challenge. That last one is something I’m especially interested in for one very specific reason. This is a guitorgan.
Building a computer soon? Buy your SSD now. Someone fell asleep on the e-stop at a Samsung fab, and now 3.5% of global NAND production for March has been lost.
Need to put an Arduino in the cloud? Here’s a shield for that. It’s a shield for SIMCom’s SIM7000-series module, providing LTE for a microcontroller. Why would you ever need this? Because 2G is dead, for various values of ‘dead’. 3G is eventually going to go the same way.
A bridge collapsed in Florida this week. A pedestrian walkway at Florida International University collapsed this week, killing several. The engineering efforts are still underway to determine the cause of the accident, but some guy from Canukistan posted a pair of informative videos discussing I-beams and pre-tensioned concrete. It’s going to be months until the fault (and responsibility) will be determined, but until then we have the best footage yet of this collapse. It’s dash cam footage from a truck that rolled up to the red light just before the collapse. This is one that’s going to go down in engineering history along with the Hyatt Regency collapse.
Need to test your app? Here’s a delta robot designed for phones. You would be shocked at how popular this robot is.
If you’ve been thinking of adding cellular connectivity to a build, here’s a way to try out a new service for free. Hologram.io has just announced a Developer Plan that will give you 1 megabyte of cellular data per month. The company also offers hardware to use with the SIM, but they bill themselves as hardware agnostic. Hologram is about providing a SIM card and the API necessary to use it with the hardware of your choice: any 2G, 3G, 4G, or LTE devices will work with the service.
At 1 MB/month it’s obvious that this is aimed at the burgeoning ranks of Internet of Things developers. If you’re sipping data from a sensor and phoning it home, this will connect you in 200 countries over about 600 networks. We tried to nail them down on exactly which networks but they didn’t take the bait. Apparently any major network in the US should be available through the plan. And they’ve assured us that since this program is aimed at developers, they’re more than happy to field your questions as to which areas you will have service for your specific application.
The catch? The first taste is always free. For additional SIM cards, you’ll have to pay their normal rates. But it’s hard to argue with one free megabyte of cell data every month.
Hologram originally started with a successful Kickstarter campaign under the name Konekt Dash but has since been rebranded while sticking to their cellular-connectivity mission. We always like getting free stuff — like the developer program announced today — but it’s also interesting to see that Hologram is keeping up with the times and has LTE networks available in their service, for which you’ll need an LTE radio of course.
Anyone who had a cheap set of computer speakers in the early 2000s has heard it – the rhythmic dit-da-dit-dit of a GSM phone pinging a cell tower once an hour or so. [153armstrong] has a write up on how to capture this on your computer.
It’s incredibly simple to do – simply plug in a set of headphone to the sound card’s microphone jack, leave a mobile phone nearby, hit record, and wait. The headphone wire acts as an antenna, and when the phone transmits, it induces a current in the wire, which is picked up by the soundcard.
[153armstrong] notes that their setup only seems to pick up signals from 2G phones, likely using GSM. It doesn’t seem to pick up anything from 3G or 4G phones. We’d wager this is due to the difference in the way different cellular technologies transmit – let us know what you think in the comments.
This system is useful as a way to detect a transmitting phone at close range, however due to the limited bandwidth of a computer soundcard, it is in no way capable of actually decoding the transmissions. As far as other experiments go, why not use your soundcard to detect lightning?
[LaForge] and [Holger] have been hacking around on cell phones for quite a while now, and this led to them working on the open cellphone at OpenMoko and developing the OsmocomBB GSM SDR software. Now, they are turning their sights on 3G and 4G modems, mostly because they would like to use them inside their own devices, but would also like to make them accessible to the broader hacker community. In this talk at the 33rd Chaos Communications Congress (33C3), they discuss their progress in making this darkest part of the modern smartphone useful for the rest of us.
This talk isn’t about the plug-and-play usage of a modern cell-phone modem, though, it’s about reprogramming it. They pick a Qualcomm chipset because it has a useful DIAG protocol, and in particular choose the Quectel EC20 modem that’s used in the iPhone5, because it makes the DIAG stream easily available.
Our story begins with a firmware upgrade from the manufacturer. They unzipped the files, and were pleasantly surprised to find that it’s actually running Linux, undocumented and without the source code being available. Now, [LaForge] just happens to be the founder of gpl-violations.org and knows a thing or two about getting code from vendors who use Linux without following the terms and conditions. The legal story is long and convoluted, and still ongoing, but they got a lot of code from Quectel, and it looks like they’re trying to make good.
Qualcomm, on the other hand, makes the Linux kernel source code available, if not documented. (This is the source on which Quectel’s code is based.) [LaForge] took over the task of documenting it, and then developing some tools for it — there is more going on than we can cover. All of the results of their work are available on the wiki site, if you’re getting ready to dig in.
Continue reading “33C3: Dissecting 3G/4G Phone Modems”