Yesterday a tweet got my attention: “sim card tracker found on all orange sim cards. sends location, IMEI to operator, without your knowledge“. As I am a little bit suspicious about this kind of things, I have asked to define “all” and “without your knowledge”. Immediately came the reply which confirmed my feeling: “the smart card sends it via SMS to the operator from the OS on the card”.
This tweet came during a great speech of Behrang Fouladi at 44con conference regarding .NET smart cards. His research is great and I want to make it clear from the beginning that I appreciate his work. The only thing that I don’t like is that generally people are trying to make a mountain out of a molehill from the fact that SIM sends a message to the operator.
What is it about? SIM card has an app written on it and, when put into a different phone, it will automatically send a message to the operator informing it that now the customer uses another phone. Why this? Well the operator will automatically send you the MMS/Internet settings for this new phone so that you will not have to struggle with manual setup.
Where is the tracking? Or how can we think about tracking when you are actually using the operator’s network and that at anytime the operator knows where you are, with a few meters precision, specially in a big city where they have more BTSs?
Some said this is the first time someone discovers such SIM app. I disagree – I spoke about this exactly behavior last year, at DeepSec 2011 conference. I haven’t given too much attention to it as I am inside the operator’s network and the SIM is sent to a number belonging to the operator. Here is the proof that people should’ve already knew about it:
What about the message that is being sent? What does it contain?
Before answering this, I have to make a note: it might be possible that in another country Orange SIM cards to send some more details, so I can’t certainly say that the info is incorrect. Last time I checked, one year ago, SIM card was sending the IMEI only. This morning I performed another trace to find out if anything changed, but it didn’t. Even if it might request for the Cell ID also, that information is not sent in this message.
Here is the SMS SUBMIT captured data
Here is the destination number to where the message was sent – this case 5692
Now here is the data inside it, containing the IMEI of my phone
In the worst case scenario we could think about this message as “tracker” if it was sent regularly, at specific time frames. But guess what - it isn’t! It is sent only when you turn on the phone and that’s it. The good question is indeed why would the operator need this when they already know your phone’s IMEI, without making the SIM supply it in a message? I can only speculate on this, but I think the explanation is that a long time ago the operator asked for this as a convenience – maybe for law enforcements or not – in order to not search to deep in the log files.
Is this thing new?
You will actually be surprised to find out that it’s started back in 2005 – at least in Romania. Searching for that 5692 number on the web, I found an old topic from a Romanian forum which was discussing about this automatic message:
As you can see, the topic date is 26 December 2007!
Here are some excerpts from this topic, translated into English:
six: Why on the Orange network, when I put my SIM card in a new or different phone I get on my Nokia display a message saying “Allow SIM card to send message”?
ionut.tabacaru: Starting 2 years ago, all these SIM cards automatically send a message to Orange, to a free of charge number 5692
kaytar: 3 days ago I’be put my SIM card into a different phone and I’ve received a message saying that in a few moments I will receive the WAP/MMS settings … and indeed I did get them
andreic: I am curious to find out what this SMS does
mailman: It communicates that the phone has changed and the network sends you the connection details for wap, mms
If you don’t trust me, open the topic and use Google translate
Now about that “without your knowledge” thing. If you look closely on the above video you will notice that on Nokia phones you have the option to ask you about when the SIM cards wants to perform an action – you could allow it or not. Also during my presentation I said that these SIM toolkit messages generally inform the user by displaying “Sending message” info on the phone display. Not all phones can ask you if you allow the SIM to do that, but if you keep your eyes on the phone in the first few minutes after you turned it on, most probably you will notice this message being sent.
Finally I would like again to underline that I have nothing personal with Behrang, I appreciate all his findings, but this Orange SIM card tracker thing went a little bit too far.
Waiting for your comments