- TinyBrain

IPX brokers are somehow in the shadow. There are many but I cannot find any platform to get an overview who is related to who?
Can anybody bring light into IPX broker domain?

Toda

Have you google searched "IPX direct-connection"?

Also have you considered SMS with payload - point to multipoint (broadcast)?

What about e.g. scp01 scp02 scp03/scp03t scp11 scp80 scp81?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

I did and just found that signaling is over SS7 or Diameter. I walk in dark.

- how are these IPX brokers certified (e.g. GSMA SAS)?
- is there a cmd to looking glass or trace the way between the IPXs?
- they run services platforms or suites proprietary, dark from outside, how to understand?

SMS payload, yes I have a beginner level since last week

Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?

We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.

My emotional sense says hidding was extremely good in this case. So hidding behind a legitimate process is the next key to find.

A new year, a new term: Shadow Hidding Infection SHI

Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf  

- TinyBrain

I did and just found that signaling is over SS7 or Diameter. I walk in dark.

Maybe it's better you first define what you really what and then get help from the expert of telecom security.

- TinyBrain

- they run services platforms or suites proprietary, dark from outside, how to understand?

it is like an untrusted network and should be secure by relating security devices

- TinyBrain

SMS payload, yes I have a beginner level since last week

Ok, i can help you to find more

- TinyBrain

Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?

I couldn't get what you mean with "for any may normal reason", but for both binary OTA and OTA over HTTPS, initiator should send binary massage to open Chanel for next step.

- TinyBrain

We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.

I think your problem is comparing Sim, USim and eSim. RSP is not possible for Sim and Usim. MNO's also aren't support eSim in Iran. to provision eSim remotely, you need to have certificate and sign queries with the certificate that issued by vendors.
if you explain more what do you exactly have in mind and find as a UICC infection, i can help you more and define exact scenario.

- TinyBrain

Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf

there is no relation between this document and UICC except sending binary message inside this network.  

What we really want is to reverse understand the InfectionPath. It was not an SMS payload as a multicast service 1:n. It was an UICC firmware update process over the OTA servers of MCI. Normally firmware updates (Java Card Applications) are initiated by the manufacuturer in this case G&D. But they did not initiate the update process. It came from outside MCI 3G Core over Diameter from an IPX broker unknown. This is the reason we call it hidden, unaware. No malfunction on the UICCs of millions of MCIs subscribers. The infection installed a 'pipe'. What I mean by this? The adversary behind wanted to have a all the time possibility to get 'data' out of the UICCs revealing one or multiple subscribers 'data'. By 'pipe' we describe this like 'a long arm internationally'. The 'pipe' is still open on the roaming MCI 3G UICC we have in-lab.  

Last edited by TinyBrain on Sat Jan 12, 2019 10:21 am; edited 1 time in total

It's none of my business, but I think you are on the wrong way (this is my personal opinion).

Instead figuring an unknown IPX broker, figure first who had legit send permissions and you will narrow the possibilities. Look for LTE bugs as well.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

Appreciate your feedback!  

Is there an online map available of MCI cell towers in district 2 and 10 of Tehran? See here an old districts map source

en.tehran.ir/default.aspx?tabid=88

StreetView is not availabe on Tehran. Any source of 3D city model?