How do SIM Cards work? - SIMtrace
HTML-код
- Опубликовано: 13 сен 2024
- In this video we use SIMtrace to intercept the communication between the phone and SIM card to understand how that works. This is part 1 in a series introducing mobile security.
buy my font (advertisement): shop.liveoverf...
Vadim Yanitskiy: / axilirator
Osmocom: osmocom.org/
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
buy my font (advertisement): shop.liveoverf...
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
#MobileSecurity
Small corrections:
The SIM card does not typically store a private key. It has a secret key that is shared with your mobile operator. And that secret is used to derive session keys that will then be used in the actual encrypted communication.
LiveOverflow also in the early 2000 some SIM cards used some form of weak crypto which allowed to actually extract the key from the card with cryptanalysis. This allowed for multi-sim cards that allowed you to store multiple keys (multiple virtual SIM’s) of one card and then switch between them on the fly. It was some good stuff, but then they upgraded the crypto and the whole thing disappeared.
Nice video
fun fact: the sim can receive new applications over the air. there are certain security vulnerabilities in that area that have not been fixed physically. you need to MITM the GSM network though to make some fun things.
+Jan-Stefan Janetzky could you point to an paper or article or something detailing this? isn't doing an MITM on the GSM network trivial or is that only for mobile internet access?
So whats difference in Esim?
fun fact: The original SIM-card is actually the same size as the credit card. What most people call a "normal SIM" card is officially called MINI-SIM.
some carriers/sub-carries like VOXI issue SIM cards in the standard credit card size, with cutouts and small plastic tabs to every size under that, so you could "snap" out the size you need. (www.cordbusters.co.uk/wp-content/uploads/2020/09/voxi-sim-card.jpg)
Generally most phones use Nano-SIM today.
wow, now I finally know why the 'normal' was called 'mini' lol, never given it too much thought but now it makes sense.
micro and Nano now both exist as well..
atomic sim when
Check out the Defcon presentation: "The Secret Life of SIM Cards", and the Black Hat presentations:
"Cloning 3G/4G SIM Cards With A PC And An Oscilloscope: Lessons Learned In Physical Security" &
"Rooting SIM Cards".
Whoa, Thats cool as fuck.
Thanks.....
I can recommend that "secret life of sim cards", just watched it recently.
I immediately thought about one of these videos I had seen a few months ago but couldn't remember where it came from... Thank you so much !
Videos in order
ruclips.net/video/31D94QOo2gY/видео.html
ruclips.net/video/qKCQ1KL9GEc/видео.html
ruclips.net/video/scArc93XXWw/видео.html
You forgot about an additional computer within the cell phones. You have the main CPU which runs the OS and User IO, You have the sim card, and you've also got the baseband processor which is what is directly communicating with the sim. The main CPU of the phone is not what's actually communicating with the sim card. The phone CPU uses the baseband as it's gateway to the wireless network after the baseband has already verified credentials and established a connection to the network.
on iPhones you also have the cryptex and SEP, along with the main SoC and BB.
You usually have storage on your phone. All bulk storages have a separate cpu responsible for actually controlling the storage system.
Baseband almost always is a dedicated core, but I think many SoCs include it on-die.
Bluetooth/WiFi usually also have their own "CPUs". They are usually called Radio schedulers. Their timings are very important so they need to run bare-metal without an OS scheduler.
Many of today's smart sensor chips also include tiny 8-bit or even 32 bit ARM (e.g. Cortex M0) processor cores, also the main CPU usually has an on-die secure enclave core.
They all communicate with the main CPU via SPI,I2C, UART or even DMA access.
Thats why I started learning Java in the first place..
Forget Java. Spill some *vodka* into cup in _Java logo_ ...
Wow! I didn’t know you were taking up Java Boris. Good luck on that!!
ayy big boris?
Is that neighbor Vadim?
oopa boris {in slavic accent}
Smart cards have a clock speed of 13.5MHz and up to 80kB EEPROM. For comparison, the Commodore 64 had a 1MHz CPU and 20kB ROM. It would be so cool to make an 8 bit PC with one of these cards if possible.
I suppose you could, but these smartcards have no GPU in them...
@@CoolKoonmaybe a terminal based pc?!
@@CoolKoonevery CPU can work as GPU and GPU can be connected externally.
@@309electronics5 Heh, good luck trying to change the firmware in it (there's a 99.99% chance that you can't).
@@norbert.kiszka "every CPU can work as GPU" - That's simply not true. CPUs in general are not able to generate a signal necessary for driving a display, obviously the C64 mentioned above has used a dedicated chip for that too. All it can do is to generate the picture stream that would be sent to said graphic chip.
And the second part of your comment ("GPU can be connected externally") is even bigger nonsense, unless you have a VERY fast interconnect (in embedded electronics you usually don't) you CANNOT. That's why oftentimes they just slap a GPU next to a GPU and call it a SoC.
Most phones have 4 or 5 or more computers. There is the SOC that runs android. The Bluetooth adapter. The wireless modem. The WiFi radio. The secure element and the baseband. And even the biometric sensor (thumbprint / faceid) All with independent processors. There are probably others too. Broadcom WiFi adapters generally have a decently powerful Linux system on them with megabytes of free ram and storage. PCs can have dozens!
There's microcontrollers dedicated to haptic feedback and motion data as well and don't forget the USB c multiplexer
And even many of those systems consist of multiple "independent" processing units. For example, a cellular modem may have up to 5 processors for various tasks (software radio, programmable filters etc.).
So that's why Java is used on 3 billion devices :P
Edit: Please stop. It was a cheap joke, don't overthink it.
yup
The real number would be >15 billion devices once you sum up all mobile phone for example… Unless you meant “daily use”, when even then it is probably more, since NA and Europe alone have 1 billion users.
“The first cell phone was produced by Motorola. Since then there have been produced around 17.37 billion mobile phones.” Most of these would’ve supported java in some shape or form.. Probably only the first few 100 million at the 80s early 90s didn’t do java..
I wonder if not all SIM cards run Java. The phone doesn't have to know whether it runs Java or not since it only communicates data back and forth, it never needs to upload Java bytecode to the SIM card.
Siana Gearz I think the operator decides whether they want to implement a java-application or not. Still, nearly all phones produced have had some sort of support for Java on them..
... to be accessible to some power-users.
I want to run the original DOOM on the simcard.
You mean store the original game data on one? non-possible. Sims only have around 8 bytes on the card
GameMaker 3_5 don't crush my dreams
Wrong. SIM cards can have up to 256KB of memory space.
that means we can actually produce smart cards as a VERY secure way of saving data? very nice
@@AtmelKiller thank 4 correction but I don't think the original doom (or even chex quest) could be stored on a SIM even without storing saves on the card
Your videos are incredible. You maintain an insanely high level of quality through each and every video. When this video ended, I said "already ?" out loud, couldn't believe I didn't see the 11 minutes pass. Simply amazing !
Wow, I did this back in the late 90's using a serial port and a simple circuit. Watching a SIM update is very interesting. Also used for the TV viewing cards, which is how I got interested in it in the first place.
I came across your channel randomly like a few months ago and stayed since. You videos are awesome, in quality and content. Keep it up and can’t wait for the new videos to pop up....Reached “Game of Thrones” status for me
02:37 _YES! Now I believe people are gonna make videos about overclocking your SIM cards and playing high end games on 'em!_
What a great explanation. Thanks a lot for presenting it so succinctly.
You are awesome! Don’t stop!
As an Information Security college student i have to say you are my fucking savior, THANK YOU FOR TAKING THE TIME AND MAKING THESE AWESOME VIDEOS.
I hope you reach all your goals in life.
well... I've been wanting to get into cybersecurity for at least 2 years now. stumbling across your channel via a recommendation of this video showed me CTF, which finally gave me a tangible goal. I will now start my cybersecurity journey. thanks for the directions :p
Awesome, just 2 questions:
1) If SIM cards are computers, can you make it to do any other thing you want?
2) Can you make your own Java Card apps for any SIM card? What would we need?
1) Depends on the access level you have, see VVV
2) Yes, you can write and compile them, but for commercial SIM-cards you need to know the secret keys to install your own apps :/ Please see "Hello World": git.osmocom.org/sim/hello-stk/tree/src/org/toorcamp/HelloSTK/HelloSTK.java
It actually not a computer, it still need it's host computer to execute the commands
In india, people have used this sim gui-api to make games. People there have actually produces games on the sim card using an api meant for debugging. The distribute games that are stored on sim-cards
Also the SIM must have a JavaCard Virtual Machine(JCVM) and JavaCard runtime environment(JCRE) loaded.
SIM cards use the Global Platform standard for managing the apps.
This was explained really well! I've always been interested in this, and glad I found the video. A lot of times, the video's are explained at such level where it makes no sense but this makes total sense to me.
Can’t wait for this series. Most people don’t know that 2G still works across the US.
Man on english talking about german sim card on russian nokia phone maded in finland O_o
And where are you watching this?
Dimon Sq That came to my mind as well.
Disigned in Finland but made in India, you can see the label at 4:10
+Amazon Echo
Well, this phone's language is set to Russian.
+Amazon Echo
True. I'm not sure why you are saying that Nokia isn't russian. I think it's obvious that by "russian nokia phone" they meant "nokia phone with its language set on russian".
A small clarification: The phones main CPU doesn't talk to the Sim, but the baseband does it. Also you can trace the apdu commands using a uart. You don't need any special hardware.
Do you have more information about tracing the APDU commands using a UART?
As far as I know was the SIMTrace build by Osmocom specifically because you can't passively sniff ISO7816 communication (at least not reliably and according to the specs) unless your UART can work in ISO7816-mode.
But would be nice if we could passively sniff ISO7816 without special hardware. So please share more information about how to "trace the apdu commands using a uart". Thanks!
Well, nowadays they are on the same SoC so not entirely wrong
Yeah the radio baseband CPU is what talks to the SIM and the cell network. I remeber back in the days of Windows CE phones you sometimes had to make sure you had the correct firmware in the baseband CPU when upgrading OS or it might not be able to connect to the cell network, even seen error messages saying that the radio is not responding when things went wrong with it.
But you could take this even further. A lot of otherwise dumb components have hidden CPUs in them, technically making them computers too. A lot of other radios have dedicated CPUs for them like WiFi, bluetooth or GPS. The SD memory card is also hiding a CPU inside as a memory controller and so are eMMC flash chips often used for onboard flash storage. But it does not end there, a lot of chips can act autonomously so that they only bother the main application CPU when needed, for example there is a tiny CPU in the touchscreen controller chip that sits on the glass panel, it scans the matrix of conductors and does math to decide when a touch is detected, calculates the center coordinates and then sends that to the main CPU with an interrupt. So the actual number of computers in a modern phone is probably closer to 10.
Some of these can be hacked to carry a virus such as an SD card, but hacking a touchscreen controller is probably not a viable thing as the chip is very underpowered and runs its code from a factory ROM with not even the capability to execute code from RAM.
berni8k You are confusing CPUs and microprocessors.
@gyroninja CPUs are the main building block of a microprocessor, everything else in a microprocessor is just there to help the CPU run, like provide it memory access, clocks, power etc.
I think "something containing a CPU" can be reasonably called a computer. Just that some CPUs are really under powered and limited. Ones that run the digital timer on a microwave or play a melody in a greeting card. Really slow 8bit computers that have a total of a few kilobytes of memory, but provided you changed there program they could still do anything else(Within there under powered limitations naturally).
Can you please promise to set up a Patreon as a christmas present for us all and you? Looking forward to this series, and to support you on Patreon. And as always, love the work you do, keep it up
When I was a kid, everytime I moved to a new school, I used to block my dad's SIM by entering SIM pin wrong thrice, forcing him to get a new number, so that my school teachers won't have any contact to complain about me, if I ended getting caught doing something crazy at school.
Now I know which piece of code I was running at the time. Thank you!
So cool, I'm getting bored of learning to code lol, the hardware stuff is so mysterious and cool to learn about
Aaron Ramsden IDK what path to choose
RobbenFan Python is what I'm learning at the moment, it's pretty fun, but I'm not sure how to get into hardware stuff yet
*+Aaron Ramsden* then you're wasting your time. If you want to go low level, proceed with C/C++, and if you want to decent further onto the bare metal try assembler, but only once you got the hang of C.
TheDragShot I mean, In my opinion. Python is not bad to learn to start off with. Besides, diving headfirst into low level languages and machine code is obviously very daunting on someone who is just starting out, like me.
TheDragShot noted,
But it's never a "waste of time" learning something you're interested in
I'm no engineer, computer science major.. or in school at all but i love watching shit like t his. Thank you for the content! :D
Nice! Looking forward to the follow-up videos!
Vielen vielen Dank für die Videos :) Da kann man so viel lernen!
Lustig das Video kam an meinem 15. Geburtstag raus.
You should be an instructor, very good and clear explanation. Good job!
I m a telecommunication student from Portugal and this video is amazing
This video scares me. I can only start guessing what kind of force was needed to crack the display on that Nokia.
Thats not a nokia 3310
I've broken a 3310 by just keeping it in my pocket with my house keys...
I'm convinced that I have some kind of curse: any time I own an electronic device that isn't broken in some way it finds some way to remedy the situation...
It required over 20 years of brute force but we finally cracked it
Probably dropped another Nokia on it..
Use nokia for brick
This was a very much needed video, I also feel that these kind of topics are not spread out enough. Thanks for sharing, great vid!!
For additional info. Some menus are embeded to the sim card because we know that sim card can store data but not enough, some menu are requested to the telecom servers and output will appear on your screen.
Glad there are clever people about and willing to share but this has gone way above my head.
This is an interesting subject looking forward for the rest of the series :)
Every time you upload a video you blow my mind...
You sir, just got a new subscriber!! Thank you so much for this awesome explaination! Right now I'm collaborating in a project related to 4/5G networks, your videos really helped me understand the subject even more!!
How did the oroject go, 2 months kater?
Yes !! I always wanted to know how sim card and their networking works. Thanks!
I and a few colleagues recently had phones hacked, contacts removed. Thanks for giving me enough information to know how this was done, and who was responsible.
I think coolest video on RUclips. Took me to my childhood where I was playing with sim cards :) Thank youuu!
I wondered how the system works some time ago…
And this video is very very incredeble. You maintain an insanely high level of quality through each and every video.
And i’am your new subscriber 🎉🎉
This is one of your coolest video, i always wanted to know about sim card abd the information im getting in this video is amazing
> "Most of us know how the internet works"
Personally, I would be interested to watch a video on wireshark and packets!
bruh....
Everyone should watch this. I had no idea how much technology was involved on these simple metal contacts
I always thought that SIM cards are just something that stores the unique subscriber ID and that the menu is processed from some server somewhere
That's really interesting! To be honest, I never really thought about SIM-Cards before, but now I'm hooked xD
So you're saying a SIM card can run Minecraft?
something like super mario bros 😊
That proves some uni are awesome.. they do teach good things...
I wondered how the system works some time ago but never wanted to dig in. I think I will learn a lot from this series.
Thank you so much, this is really interesting. Looking forward for more!
this was the greatest video ever i have watched on you tube great bro
Probably can emulate SIM card use software. No security for verify cell tower is real tower of fake tower?
Yep you can emulate a SIM card in software. But the cell tower will only accept you on the network is you prove you have the correct secret key by encrypting things correctly, this key is very difficult to extract from the SIM card.
Very nice video I learned so much, also worth to mention I guess that if U will fail 10 times with the PUK code, the sim is pretty much dead and you can call only emergency numbers.
Очень познавательно! Спасибо вам)
Thanks for revealing the mechanics of the sim man. thank you both
That was very interesting. I have been curious about these cards for a few months, and I have all the answers I was looking for (especially the similarity between SIM cards and credit cards, or the SIM service menu app in Android, which I didn't know actually kind of ran on the card).
I dont know about other countries since i have never left the us before. But here in the US, your simcard in the phone contains the information needed to successfully connect you to the wireless network. Basically it will tell the network who you are, what your number is, phones mac address, and other identifying information. Say you didn't pay your bill; your carrier will block some functions of the network on their end until you have paid. Plus the network is hidden and dont use your basic wifi for the connection. Your simcard also tells the phone what network its allowed to use.
I have seen some defcon videos about this. i believe the sim would be classified more as a microcontroller than a computer.this something that interested me for a while however
Like
WOW i fix phones and i didn't know that it was this complex! Thanks for this video, Awesome!
thank you so much for this video, in kenya we still use the applet on the sim card a lot, mostly for mobile money transfer which is a very big thing here, would like to get my hands on the osmocombb project , this is really cool though, looking forward for the follow up.
can you send me an email or msg me on twitter? I know that in other areas of the world these SIM applications are used a lot and would love to learn more about it!
Amazing! Just came up today: "What happens when you loose the PUK?"
Looking forward to this series and thanks for sharing your enthusiasm!
Your service provider can unblock your PIN/PUK with the ADM1. Only they now what this value is.
so if my teachers says "give an example of a computer" can i answer it with "a simcard"? just curious ✌️😅
Very great video! And it's also the first time that I see a Nokia with a broken screen 😄. Keep doing video! Sorry for my English.
Sorry for your perfect English?
Thanks!
SIM Tools are present in Android as well, I don't think the 3310 is any more special (in this particular issue) than any other (smart)phone confirming to GSM standard. Also the modem is separate computer in most smartphones (don't believe that request to SIM are coming from main CPU) so there is at least three computers in contemporary phone. Probably much more as power and sensor management is done with specialized controller.
The power management and ADC controller is usually not a processor but a simple state machine with minimal flexibility. The whole purpose of it is keeping the analogue domain out of the fully digital SoC.
You know what is though? The eMMC disk drive usually is a processor. Samsung uses ARM, others have something else, but they have firmware stored on the same flash as the data.
Yes its usualy the baseband CPU.
But depending on where you draw the line you can find a lot more CPUs. Things like SD cards and eMMC flash storage have CPUs doing the job of a memory controller. Other radios like WiFi, Bluetooth, GPS etc tend to have dedicated CPUs to run them. Even dumb looking things like a touchscreen controller has a tiny CPU inside to scan the touch matrix, decide when a touch occurs, calculate the center coordinates and finally send them to the main application CPU. Even something as simple as an accelerometer/gyro chip could have sometimes a CPU inside. But these deeply embedded CPUs usually run code from ROM so are not viable to hack.
@@berni8k while mask ROM microcontrollers usually make for the least interesting targets, the firmware can be susceptible to ROP, basically reusing existing ROM code and invoking it by smashing the stack.
@Siana Gearz Yes technically it is possible, but there is very little code inside so its difficult to find useful snippets, there is very little RAM (Proabobly
Du bist auf die TU gegangen! Mein Held! Jetzt darf ich davon träumen so krass zu werden wie du
A surprise to be sure. But a welcome one!
Always exciting to watch these videos!
00:08 _Ya'll know what makes Nokia 3310 so special!_
I was literally just thinking about this earlier today, and this video answered all of my questions!
Can you run Wolfenstein off one or more SIM cards?
Halfway serious question.
Now you've got me curious about benchmarking a sim card, overclocking it and running Doom on it.
This is so great you just got yourself a new subscriber baby!
That's the old famous Nokia that goes for a lot of money on eBay. They use it for some sort of fraud but I don't know the details. Didn't know there were other phones that could do it (the Motorola).
Another gold channel I dig on youtube. Subscribed.
Well, theoretically you could decap the IC and examine it with a microscope to get the private key, but when you're finished, the owner has most likely already changed their SIM or credit card...
I don't think so. Flash and EEPROM are usually capacitive, storing data as electrical charge on the gate of a MOSFET. But you can't see electrons with a microscope!
You can read Mask ROM with a microscope.
You can't read flash memory using a microscope.
But what they do instead is poke the bare die with microprobes while the chip is running so that they can look at the data bus of the internal CPU while its reading the key from memory. Obviously this is very difficult do to so its not practical, but people do this a lot to get the keys for satellite TV out of cards. Once they have the key they can make as many clones as they want and sell them cheap to people who want to watch the good channels.
High End smart cards, like those used in chip based debit or credit cards, actually has protection mechanisms against probing attacks. It can, for example, detect when the NVM is breached and will then stop executing code - a security reset will be triggered.
@Gerhard van Deventer
Actually credit cards use the least secure smartcard chips.
This might seam counter intuitive at first since there is actual money on the line here, but for the criminals to do this they need to physically steal your card, at that point they might as well just use the stolen card rather than make a copy, besides once you can't find your card for a few days you will report the lost card to the bank so that they deactivate it and make it useless in an instant. As a result these cards are secure enough that you can't simply make a copy in a few minutes, but don't have the more advanced security features because nobody would bother to try that hard.
However smartcards used for satelite and cable TV don't have two way communication back to a server so they can't remotely detect suspicious behavior and block the card. This allows someone to hack a card, make 1000s of copies and sell them for profit to people who want to watch the fancy channels on the cheap. This makes a hacked satelite TV smartcard much more valuable than a hacked credit card. As a result the people who buy the card from the manufacturer are willing to pay extra for a more secure smartcard model and these cards have such advanced security methods like hard to etch trough layers, snaking patterns to detect intrusion, hiding important signals on deeper layers etc.
@berni8k
This isn't true. I actually develop software for SIMs and debit cards. The security requirements for debit cards are very high. To get certification from MasterCard, for instance, your card has to hold up to all sorts of penetration testing, such as probing attacks or deferential power analysis. You are right in that its easy to block your card if its stolen. The problem is that if some one can obtain the keys necessary to do authentication and to generate or verify certificates that is used during a transaction. These keys aren't unique per chip, just as for satellite or cable TV. So yes these cards must be super secure. SIM cards on the other hand typically uses way less secure chips.
Wow thank you! And I had no idea how identical sim cards and credit card chips looked
Вадим молодец! :)
The fact that Java runs on a sim card blows my mind
0:35 what was happening there? Did he spoof a phone call?
Nope. But patience :P
This is just awesome I didnt know this much stuff goes in the sim card
Is my credit card also running on java?
Yes
Perfect episodes coming...Im so excited.
1:37 Do you have the pin number for this card?
Sultan Mustapha Jallaludin Pasha Han zindabad
You are my new favorite page. Thank you for everything you do bud!
Sim cloning attacks are common now a day's
What would you like to say on that as according to you we can't clone a sim
Sir, I learned so much from this first video I have seen, I subscribed and will be watching all night. Your knowledge and ability to present that knowledge is outstanding thank you
.
Thank
9:09 that image, sus.
One of the best InfoSec RUclips channel around. Thanks for all the great content LiveOverflow!
there i was thinking the sim card was just a memory chip.. how i was wrong :D
Finally, I always thought sim cards are interesting, thank you for making a video about it.
So, is there a way to sign private messages with a sim card?
Only if you install a special cardlet for that, I think.
Private messages, what kind? SMS, Email?
Yes if you have the secret key inside to decrypt it again. The cellular service provider has a copy of that key (because they are the ones who sold you the SIM card) so that they can decrypt your calls and messages while someone else listening to your cellphones radio traffic can't decrypt it.
You just gained a new subscriber :) interesting topic and clear explanation of the technical aspects!
all i could hear was "the sim card runs java" and then i thought "so, it's vulnerable..."
I hope it has not log4j on it tho xP
Amazing what kind of informations is just simply out here. Thanks für your contribution. It's been a long time since I had an "aha"-effect for something I never knew how it worked.
by the way..................can it run crysis?
Same here
No.
Only in full HD and 50 fps 😒
Ribbon cable broke in three... two... one. Ribbon cable broken successfully, prepare for evac at designated TCZ. Good work on being the bane of blind mobile device teardowns.
its funny how we research things that humans made... i mean, why didnt they just tell you the things that you just discovered, would save some time lol
hahaha
those guys made these stuffs where did they go
You're describing open source...
basically yes but most of the things are not
Because the less people know about the security mechanisms, the more secure they are.
its little hard for some beginner like me, but this vid is awesome. I really like it. Worth to watch.
But I'm already Tracer.
I bet he doesnt kiss ya
First time im here and like your video, keep working!
If a sim card is a computer, does that mean you can play DOOM on it?
Its not a computer
@@hausemester7386 Yes it is, did you even watch the video?
yes it is, but not in the way you imagine.
Comput-ers are not only the way you imagine
Its a computer in the sense that it can execute code, store data and talk to the 'outside world'.
My so many questions were answered in this single video. Excellent man keep it up.