±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35974
New Yesterday: 2 Visitors: 407

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Iranian UICCs hacked

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7  Next 
  

trewmte
Senior Member
 

Re: Iranian UICCs hacked

Post Posted: Dec 31, 18 07:44

TinyBrain in your last post you said

- TinyBrain
Right, we here want to understand how this happened. Lets name it InfectionPath, then InfectionEvent and InfectionResult. The InfectionResult he have. My colleague of networking told me that always you want to reach all hosts its called Broadcast. So InfectionBroadcast. MNOs can update the UICCs, this was EndInfectionPath. Which unit in 3G MNOs rolls out this?


So when I posted my points to you below, you, in fact, could have responded given your comments above. Instead you came out with a single comment "bound", which as you NOW know was a nonsense comment by you given your comments in your last post.

- trewmte
- TinyBrain
The MSI's subscribers were hacked through the 3G mobile network and their UICCs infected. I have one piece in-lab and proof of infection.


1. Was the hack created by attachment to an SMS?
2. Was it thru use of USSDs?
3. Do you have an identity (name) of the infection you have found?
4. Did the handset used by UICC import the infection from infected files?


If you take time to re-visit the questions above and those that have been excellently put to you by Dalton-C you will come to realise combined they sought to help you. If you haven't, you could do some research by reading IR21. Also, perhaps define what you think 'Broadcast' means.
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

TinyBrain
Senior Member
 

Re: Iranian UICCs hacked

Post Posted: Dec 31, 18 10:20

Reverse engineering of the InfectionsResult to find out how it really was done is fine if you can. Our approach for future problems is over which pathes is this in general possible by tech, then we check with the vendors howt they implemented the tech and standards to see if they may failed by unknown, which is understandable. To only understand the case give does not be preparation for the future. Our approach is starting BIG to catch theoretically AllInfectionPossibilities.

Yes, I will do my homework about Broadcast in 3G.  
 
  

Dalton-C
Newbie
 

Re: Iranian UICCs hacked

Post Posted: Dec 31, 18 22:21

- TinyBrain
Reverse engineering of the InfectionsResult to find out how it really was done is fine if you can. Our approach for future problems is over which pathes is this in general possible by tech, then we check with the vendors howt they implemented the tech and standards to see if they may failed by unknown, which is understandable. To only understand the case give does not be preparation for the future. Our approach is starting BIG to catch theoretically AllInfectionPossibilities.

Yes, I will do my homework about Broadcast in 3G.


The important function of Simcard is providing cryptoprocessing and safeguard keys. the only way of contacting with simcard is OTA which is possible only with having OTA keys. as far as i know, mobile communication company of iran (MCI) personalize their simcard internally under very complex and secure progress.
May I know how did you proof that the UICCs infected? which kind of data has stolen and from where? some of important data inside UICC are Ki, OTA-KEY,last location and last call.  
 
  

TinyBrain
Senior Member
 

Re: Iranian UICCs hacked

Post Posted: Dec 31, 18 22:59

The cryptographic dimension of this issue is my job. All this in general always includes a AAA process to ensure the process of Remote Sim Provisioning RSP and is completely secure. You are fully right, MCI for sure has implemented all to make this happen. Every MNO will do so, its too dangerous if not. Lets assume they did a normal good job, not less carefull than others. Iranians are top in Cyber and they understand a lot of technology and engineering. I have great respect for the net engineers at MCI working on Core Network Security.

And exactly this is so scary for my board. We got order to find out the InfectionEntryPoint within Iran. Our actual research shows that the case is bigger in complexity as we thought. The InfectionEntryPoint must, we have no proof, be in a trusted partner of MCI outside Iran. Therefore the unit delivering OTA RSP to the UICCs is no more in focus.

What I can say with proof, it did not came from the UICC vendor. This was investigated last week.

Ok, homework Broadcast. There is a protocol of MBMS Multicast Broadcast Multicast Service but not for RSP. There is no such protocol to 'update' all UICCs of a MNO. But there must be a process 'doing MBMS' kind off. I only can imagine that its related to roaming partner status updates the UICC should know. There are Roaming Brokers. These guys may unintended opened the door.

I really know nothing.  
 
  

trewmte
Senior Member
 

Re: Iranian UICCs hacked

Post Posted: Jan 01, 19 15:31

- TinyBrain
Ok, homework Broadcast. There is a protocol of MBMS Multicast Broadcast Multicast Service but not for RSP. There is no such protocol to 'update' all UICCs of a MNO. But there must be a process 'doing MBMS' kind off. I only can imagine that its related to roaming partner status updates the UICC should know. There are Roaming Brokers. These guys may unintended opened the door.


What about Evolved Multimedia Broadcast/Multicast Service (eMBMS)?

- GSMA - Bringing Broadcast to Mobile 2016
For example, Evolved Multimedia Broadcast/Multicast Service (eMBMS) technology enables mobile operators to broadcast or multicast services over LTE networks spanning multiple cells. This technology could be used to deliver live coverage of sports events and concerts, software and app updates, and popular on-demand content, such as hit drama series and blockbuster movies......

www.gsma.com/futurenet...st-mobile/




What if the infected UICC "method" you mentioned was discovered by accident and then experimented. You mentioned RSP = RSP eUICC.

Q1. Can a UICC be updated OTA?
A1. an embedded UICC (eUICC) by standard can be provisioned for OTA update. What if experiment test was against a standard UICC and found to be enabled to be altered using RSP eUICC.

- COMPRION 2015
"...An embedded UICC is not easily accessible or replaceable, is not intended to be removed or replaced in a terminal"

By the way, those parts of the eUICC concept, which refer to the module’s infrastructure are applicable to replaceable UICCs as well and could be used for traditional form factors like mini-SIM or micro-SIM.

"An embedded UICC enables the secure changing of subscriptions"

During production, the classical UICC has been personalized for one specific MNO and to one specific subscriber without a chance to change this personalization during the card’s lifetime

www.comprion.com/index...6557d63ac7


Food for thought...
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

TinyBrain
Senior Member
 

Re: Iranian UICCs hacked

Post Posted: Jan 02, 19 10:42

Great aspects. Within MCI only 3G was involved, also Core  
 
  

TinyBrain
Senior Member
 

Re: Iranian UICCs hacked

Post Posted: Jan 03, 19 20:22

IPX brokers are somehow in the shadow. There are many but I cannot find any platform to get an overview who is related to who?
Can anybody bring light into IPX broker domain?

Toda  
 

Page 5 of 7
Page Previous  1, 2, 3, 4, 5, 6, 7  Next