How to protect from SIM Toolkit attack

SIM Toolkit

After all the media coverage of the subject (quite impressive) a lot of talks started, specially on Niebezpiecznik site from Poland, about how to protect from such attacks. Here are some good ideas:

1. On phones with Android you should remove the STK.apk application – right, but what if your phone is not rooted? Also since I’m not much into software / programming, I really doubt this would work because you will indeed not be able to access the SIM Toolkit application from your phone, but that doesn’t mean that your phone won’t be able to process STK commands issued by your SIM card

2. On phones with Windows Mobile, remove the HKEY_CLASSES_ROOT\SimToolkit.UI from the registry – this was something that I spoke of, but again, like the Android case, your SIM card still initiates commands, even though you can’t access the applications stored

3. Ask your mobile operator to disable premium rate charging – although somehow it’s true as your operator can disable calling to such number, it can’t disable texting :) If you know such carrier, feel free to post a comment.

What else you should keep in mind is that the method used has to be convenient to everybody: people still want to use mobile banking, they still want to be able to check for the available credit from the Toolkit menu, they don’t want to jailbreak, root or cook their own ROM (this is for smartphones), not everyone holds a smartphone. Pretty tough to find a solution, right?

Well, not quite – I think the following solution is the most convenient as it takes care of most of the mentioned requirements.

So, in order to somehow protect from SIM Toolkit crafted SMS attack, just go to the settings of your messages, select the profile used for SMS and edit the message centre number by removing the last digit from it and save the settings (write down the full number first!). Pretty nice, right? So what have you just done? You have modified the number used by your phone in order to send messages. Yes, you still have access to the toolkit application, but you will not further be able to use any application that requires to send a message and also you will not be able to send any text messages anymore. However, receiving of SMS is not affected. Why to try the hard way – modify the entire software on your own – when there is a better and simpler solution? :)

Disclamer: I am NOT responsible in any way for any wrong functionality of your phone, so if you have no idea what you’re doing, it’s better to leave it that way.

Even with this solution, be careful of one important thing: some carriers are charging you even if the message was not actually delivered or you used a wrong message centre! Yes, you read that right: you could still be charged! The best way to test if your network operator does this is by using a prepay SIM with no credit on it, modify the message centre number and send a text message – your phone will inform you that it could not deliver the SMS. If you get back a message from the network saying that you don’t have enough funds, that’s bad: you will be charged anyway so you won’t be protected. Maybe you should switch to a different carrier?

I’m not saying that this method is the best, but it’s something it works in most of the cases. Let me know your findings.

You can leave a response, or trackback from your own site.

3 Responses to “How to protect from SIM Toolkit attack”

  1. [...] How to protect from SIM Toolkit attack | Mobile SecurityBy m-sec.netWhat else you should keep in mind is that the method used has to be convenient to everybody: people still want to use mobile banking, they still want to be able to check for the available credit from the Toolkit menu, they don't want to jailbreak, …Mobile Security [...]

  2. Mine sied says:

    Wow nice post…

    [..] nice post omg [.]…

  3. Markov says:

    I seriously doubt that risk of a SIM Toolkit attack is real. the subscribers’s SIM always sends PoR via the _originating_ SMSC. So, to direct PoRs to the carriers’s premium numbers you have to have a direct SMPP connection to the carrier’s own SMSC (not bulk SMS providers) which seems very unlikely for “cybercrooks”)
    Working on a DIY OTA campaign for a local MVNO, I learned the hard way how difficult it is to get PoRs and I keep wondering how you’ve managed to perform this demonstration at the conference.
    Have you heard of any cases of STK attacks?

Leave a Reply

Powered by WordPress