Iranian UICCs hacke...
 
Notifications
Clear all

Iranian UICCs hacked  

Page 3 / 3
  RSS
Dalton-C
(@dalton-c)
New Member

Reverse engineering of the InfectionsResult to find out how it really was done is fine if you can. Our approach for future problems is over which pathes is this in general possible by tech, then we check with the vendors howt they implemented the tech and standards to see if they may failed by unknown, which is understandable. To only understand the case give does not be preparation for the future. Our approach is starting BIG to catch theoretically AllInfectionPossibilities.

Yes, I will do my homework about Broadcast in 3G.

The important function of Simcard is providing cryptoprocessing and safeguard keys. the only way of contacting with simcard is OTA which is possible only with having OTA keys. as far as i know, mobile communication company of iran (MCI) personalize their simcard internally under very complex and secure progress.
May I know how did you proof that the UICCs infected? which kind of data has stolen and from where? some of important data inside UICC are Ki, OTA-KEY,last location and last call.

ReplyQuote
Posted : 31/12/2018 9:21 pm
TinyBrain
(@tinybrain)
Active Member

The cryptographic dimension of this issue is my job. All this in general always includes a AAA process to ensure the process of Remote Sim Provisioning RSP and is completely secure. You are fully right, MCI for sure has implemented all to make this happen. Every MNO will do so, its too dangerous if not. Lets assume they did a normal good job, not less carefull than others. Iranians are top in Cyber and they understand a lot of technology and engineering. I have great respect for the net engineers at MCI working on Core Network Security.

And exactly this is so scary for my board. We got order to find out the InfectionEntryPoint within Iran. Our actual research shows that the case is bigger in complexity as we thought. The InfectionEntryPoint must, we have no proof, be in a trusted partner of MCI outside Iran. Therefore the unit delivering OTA RSP to the UICCs is no more in focus.

What I can say with proof, it did not came from the UICC vendor. This was investigated last week.

Ok, homework Broadcast. There is a protocol of MBMS Multicast Broadcast Multicast Service but not for RSP. There is no such protocol to 'update' all UICCs of a MNO. But there must be a process 'doing MBMS' kind off. I only can imagine that its related to roaming partner status updates the UICC should know. There are Roaming Brokers. These guys may unintended opened the door.

I really know nothing.

ReplyQuote
Posted : 31/12/2018 9:59 pm
trewmte
(@trewmte)
Community Legend

Ok, homework Broadcast. There is a protocol of MBMS Multicast Broadcast Multicast Service but not for RSP. There is no such protocol to 'update' all UICCs of a MNO. But there must be a process 'doing MBMS' kind off. I only can imagine that its related to roaming partner status updates the UICC should know. There are Roaming Brokers. These guys may unintended opened the door.

What about Evolved Multimedia Broadcast/Multicast Service (eMBMS)?

For example, Evolved Multimedia Broadcast/Multicast Service (eMBMS) technology enables mobile operators to broadcast or multicast services over LTE networks spanning multiple cells. This technology could be used to deliver live coverage of sports events and concerts, software and app updates, and popular on-demand content, such as hit drama series and blockbuster movies……

https://www.gsma.com/futurenetworks/digest/bringing-broadcast-mobile/

What if the infected UICC "method" you mentioned was discovered by accident and then experimented. You mentioned RSP = RSP eUICC.

Q1. Can a UICC be updated OTA?
A1. an embedded UICC (eUICC) by standard can be provisioned for OTA update. What if experiment test was against a standard UICC and found to be enabled to be altered using RSP eUICC.

"…An embedded UICC is not easily accessible or replaceable, is not intended to be removed or replaced in a terminal"

By the way, those parts of the eUICC concept, which refer to the module’s infrastructure are applicable to replaceable UICCs as well and could be used for traditional form factors like mini-SIM or micro-SIM.

"An embedded UICC enables the secure changing of subscriptions"

During production, the classical UICC has been personalized for one specific MNO and to one specific subscriber without a chance to change this personalization during the card’s lifetime

https://www.comprion.com/index.php?id=105&tx_news_pi1%5Bnews%5D=31&cHash=7e498a87e8fcf9237424486557d63ac7

Food for thought…

ReplyQuote
Posted : 01/01/2019 2:31 pm
TinyBrain
(@tinybrain)
Active Member

Great aspects. Within MCI only 3G was involved, also Core

ReplyQuote
Posted : 02/01/2019 9:42 am
TinyBrain
(@tinybrain)
Active Member

IPX brokers are somehow in the shadow. There are many but I cannot find any platform to get an overview who is related to who?
Can anybody bring light into IPX broker domain?

Toda

ReplyQuote
Posted : 03/01/2019 7:22 pm
trewmte
(@trewmte)
Community Legend

IPX brokers are somehow in the shadow. There are many but I cannot find any platform to get an overview who is related to who?
Can anybody bring light into IPX broker domain?

Toda

Have you google searched "IPX direct-connection"?

Also have you considered SMS with payload - point to multipoint (broadcast)?

What about e.g. scp01 scp02 scp03/scp03t scp11 scp80 scp81?

ReplyQuote
Posted : 03/01/2019 7:30 pm
TinyBrain
(@tinybrain)
Active Member

I did and just found that signaling is over SS7 or Diameter. I walk in dark.

- how are these IPX brokers certified (e.g. GSMA SAS)?
- is there a cmd to looking glass or trace the way between the IPXs?
- they run services platforms or suites proprietary, dark from outside, how to understand?

SMS payload, yes I have a beginner level since last week

Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?

We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.

My emotional sense says hidding was extremely good in this case. So hidding behind a legitimate process is the next key to find.

A new year, a new term Shadow Hidding Infection SHI

Anybody who wants to join see the IR34 doc link pointing towards gsma.com
https://www.gsma.com/newsroom/wp-content/uploads//IR.34-v14.0-3.pdf

ReplyQuote
Posted : 03/01/2019 7:47 pm
Dalton-C
(@dalton-c)
New Member

I did and just found that signaling is over SS7 or Diameter. I walk in dark.

Maybe it's better you first define what you really what and then get help from the expert of telecom security.

- they run services platforms or suites proprietary, dark from outside, how to understand?

it is like an untrusted network and should be secure by relating security devices

SMS payload, yes I have a beginner level since last week

Ok, i can help you to find more

Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?

I couldn't get what you mean with "for any may normal reason", but for both binary OTA and OTA over HTTPS, initiator should send binary massage to open Chanel for next step.

We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.

I think your problem is comparing Sim, USim and eSim. RSP is not possible for Sim and Usim. MNO's also aren't support eSim in Iran. to provision eSim remotely, you need to have certificate and sign queries with the certificate that issued by vendors.
if you explain more what do you exactly have in mind and find as a UICC infection, i can help you more and define exact scenario.

Anybody who wants to join see the IR34 doc link pointing towards gsma.com
https://www.gsma.com/newsroom/wp-content/uploads//IR.34-v14.0-3.pdf

there is no relation between this document and UICC except sending binary message inside this network.

ReplyQuote
Posted : 05/01/2019 12:34 pm
TinyBrain
(@tinybrain)
Active Member

What we really want is to reverse understand the InfectionPath. It was not an SMS payload as a multicast service 1n. It was an UICC firmware update process over the OTA servers of MCI. Normally firmware updates (Java Card Applications) are initiated by the manufacuturer in this case G&D. But they did not initiate the update process. It came from outside MCI 3G Core over Diameter from an IPX broker unknown. This is the reason we call it hidden, unaware. No malfunction on the UICCs of millions of MCIs subscribers. The infection installed a 'pipe'. What I mean by this? The adversary behind wanted to have a all the time possibility to get 'data' out of the UICCs revealing one or multiple subscribers 'data'. By 'pipe' we describe this like 'a long arm internationally'. The 'pipe' is still open on the roaming MCI 3G UICC we have in-lab.

ReplyQuote
Posted : 11/01/2019 2:29 pm
passcodeunlock
(@passcodeunlock)
Senior Member

It's none of my business, but I think you are on the wrong way (this is my personal opinion).

Instead figuring an unknown IPX broker, figure first who had legit send permissions and you will narrow the possibilities. Look for LTE bugs as well.

ReplyQuote
Posted : 11/01/2019 3:09 pm
TinyBrain
(@tinybrain)
Active Member

Appreciate your feedback!

ReplyQuote
Posted : 11/01/2019 3:55 pm
TinyBrain
(@tinybrain)
Active Member

Is there an online map available of MCI cell towers in district 2 and 10 of Tehran? See here an old districts map source

http//en.tehran.ir/default.aspx?tabid=88

StreetView is not availabe on Tehran. Any source of 3D city model?

ReplyQuote
Posted : 03/02/2019 3:06 am
TinyBrain
(@tinybrain)
Active Member

Iran - Coverage and Network Information of MCI

http//maps.mobileworldlive.com/network_info.php?nid=98&org_id=203&cid=198

Is this map only currently down or in general not available?

ReplyQuote
Posted : 12/02/2019 9:03 am
TinyBrain
(@tinybrain)
Active Member

I have to find out if Huawei builds in Iran the LTE MBB? Any idea how to find out about MNO news in Iran?

ReplyQuote
Posted : 13/02/2019 6:17 am
Page 3 / 3
Share: