±Forensic Focus Partners
±Your Account

![]() |
![]() |
![]() |
![]() |
±Latest Articles
±Latest Jobs
±Latest Webinars
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Have you google searched "IPX direct-connection"?
Also have you considered SMS with payload - point to multipoint (broadcast)?
What about e.g. scp01 scp02 scp03/scp03t scp11 scp80 scp81?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
Maybe it's better you first define what you really what and then get help from the expert of telecom security.
it is like an untrusted network and should be secure by relating security devices
Ok, i can help you to find more
I couldn't get what you mean with "for any may normal reason", but for both binary OTA and OTA over HTTPS, initiator should send binary massage to open Chanel for next step.
I think your problem is comparing Sim, USim and eSim. RSP is not possible for Sim and Usim. MNO's also aren't support eSim in Iran. to provision eSim remotely, you need to have certificate and sign queries with the certificate that issued by vendors.
if you explain more what do you exactly have in mind and find as a UICC infection, i can help you more and define exact scenario.
there is no relation between this document and UICC except sending binary message inside this network.
Iranian UICCs hacked
Go to page Previous 1, 2, 3, 4, 5, 6, 7 NextRe: Iranian UICCs hacked
Posted: Thu Jan 03, 2019 1:30 pm
- TinyBrainIPX brokers are somehow in the shadow. There are many but I cannot find any platform to get an overview who is related to who?
Can anybody bring light into IPX broker domain?
Toda
Have you google searched "IPX direct-connection"?
Also have you considered SMS with payload - point to multipoint (broadcast)?
What about e.g. scp01 scp02 scp03/scp03t scp11 scp80 scp81?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com
-
trewmte - Senior Member
Re: Iranian UICCs hacked
Posted: Thu Jan 03, 2019 1:47 pm
I did and just found that signaling is over SS7 or Diameter. I walk in dark.
- how are these IPX brokers certified (e.g. GSMA SAS)?
- is there a cmd to looking glass or trace the way between the IPXs?
- they run services platforms or suites proprietary, dark from outside, how to understand?
SMS payload, yes I have a beginner level since last week
Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?
We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.
My emotional sense says hidding was extremely good in this case. So hidding behind a legitimate process is the next key to find.
A new year, a new term: Shadow Hidding Infection SHI
Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf
- how are these IPX brokers certified (e.g. GSMA SAS)?
- is there a cmd to looking glass or trace the way between the IPXs?
- they run services platforms or suites proprietary, dark from outside, how to understand?
SMS payload, yes I have a beginner level since last week
Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?
We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.
My emotional sense says hidding was extremely good in this case. So hidding behind a legitimate process is the next key to find.
A new year, a new term: Shadow Hidding Infection SHI
Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf
-
TinyBrain - Senior Member
Re: Iranian UICCs hacked
Posted: Sat Jan 05, 2019 6:34 am
- TinyBrainI did and just found that signaling is over SS7 or Diameter. I walk in dark.
Maybe it's better you first define what you really what and then get help from the expert of telecom security.
- TinyBrain
- they run services platforms or suites proprietary, dark from outside, how to understand?
it is like an untrusted network and should be secure by relating security devices
- TinyBrain
SMS payload, yes I have a beginner level since last week
Ok, i can help you to find more
- TinyBrain
Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?
I couldn't get what you mean with "for any may normal reason", but for both binary OTA and OTA over HTTPS, initiator should send binary massage to open Chanel for next step.
- TinyBrain
We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.
I think your problem is comparing Sim, USim and eSim. RSP is not possible for Sim and Usim. MNO's also aren't support eSim in Iran. to provision eSim remotely, you need to have certificate and sign queries with the certificate that issued by vendors.
if you explain more what do you exactly have in mind and find as a UICC infection, i can help you more and define exact scenario.
- TinyBrain
Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf
there is no relation between this document and UICC except sending binary message inside this network.
-
Dalton-C - Newbie
Re: Iranian UICCs hacked
Posted: Fri Jan 11, 2019 8:29 am
What we really want is to reverse understand the InfectionPath. It was not an SMS payload as a multicast service 1:n. It was an UICC firmware update process over the OTA servers of MCI. Normally firmware updates (Java Card Applications) are initiated by the manufacuturer in this case G&D. But they did not initiate the update process. It came from outside MCI 3G Core over Diameter from an IPX broker unknown. This is the reason we call it hidden, unaware. No malfunction on the UICCs of millions of MCIs subscribers. The infection installed a 'pipe'. What I mean by this? The adversary behind wanted to have a all the time possibility to get 'data' out of the UICCs revealing one or multiple subscribers 'data'. By 'pipe' we describe this like 'a long arm internationally'. The 'pipe' is still open on the roaming MCI 3G UICC we have in-lab.
Last edited by TinyBrain on Sat Jan 12, 2019 10:21 am; edited 1 time in total
Last edited by TinyBrain on Sat Jan 12, 2019 10:21 am; edited 1 time in total
-
TinyBrain - Senior Member
Re: Iranian UICCs hacked
Posted: Fri Jan 11, 2019 9:09 am
It's none of my business, but I think you are on the wrong way (this is my personal opinion).
Instead figuring an unknown IPX broker, figure first who had legit send permissions and you will narrow the possibilities. Look for LTE bugs as well.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny!
Instead figuring an unknown IPX broker, figure first who had legit send permissions and you will narrow the possibilities. Look for LTE bugs as well.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny!
-
passcodeunlock - Senior Member
-
TinyBrain - Senior Member
Re: Iranian UICCs hacked
Posted: Sat Feb 02, 2019 9:06 pm
Is there an online map available of MCI cell towers in district 2 and 10 of Tehran? See here an old districts map source
en.tehran.ir/default.aspx?tabid=88
StreetView is not availabe on Tehran. Any source of 3D city model?
en.tehran.ir/default.aspx?tabid=88
StreetView is not availabe on Tehran. Any source of 3D city model?
-
TinyBrain - Senior Member