How Android knows about premium messages is that it reads an XML list where each country has it’s own defined premium rate numbers and how many digits those numbers need to have. Below you will find such protection example. I have used a malware app which was sending a message to a 6 digit number. Since in Romania we have 4 digits for premium numbers, the operating system allows it to send the text. As soon as it’s sent, I get a reply from the network informing me that the destination is not allowed (in Romanian). Then I modified the app to send to 1263 number. This time I got prompted by a dialog saying that I’m going to be charged for this operation. I even allowed it once and the reply from the mobile network is that I do not have enough credit – since my balance is zero – so this time it really was a premium rate number.

Another thing I wanted to check was if with this update I am going to be protected against premium SMS SIM Toolkit attack. However, the STK.apk icon was not visible after this update. If you are also in this situation after the Android 4.2 update, you will need to re-enable SIM PIN protection and the issue is solved – you can see the SIM Toolkit app in the menu.

Now, since the Android 4.2 protects also against the basic regular SMS app when you want to send a text to a premium number by yourself, I could not see any reason for not protecting also against SIM Toolkit attack since the STK.apk is involved. The result?

As you can see, the phone sends by itself a text message to a premium rate number, no protection involved from Android. Again I get the same reply from the network saying that I don’t have enough funds.

So, there it is: you are still vulnerable against SIM Toolkit attack with the new Android 4.2

UPDATE2: It was not the bug I was thinking of. After having a few communication messages with Avast, who actually were very helpful, I have to agree with them that this was NOT something they did on purpose – and I didn’t think so at all -  and also “it does not affect a lot of users as it requires special order of tasks to occur“. Indeed I was able to reproduce the bug by recording my steps and performing them on different devices. Maybe it was bad luck for me to discover these steps, but I am happy that I discovered the bug so that Avast’s customers will feel safer. Another thing I want to note is that Avast has issued a test update (only available to few until it will go into production), I applied the fix and I can confirm the issue is fixed now. Great work Avast! Really fast response and much interest showed in solving the problem.

A couple of days ago, I have installed on a test Android based phone the avast Mobile Security solution from Google Play – the free version. After a few days when this antivirus solution was turning on the WiFi or the mobile data plan by itself, during the night, I chose to uninstall it.

Now something new came to my attention: I was checking my balance on the phone and noticed that 0.12 EUR were missing. Hmm, maybe I have sent a message to some of my Roaming SIM cards. I logged on to my account to check why I have been billed. I noticed that indeed a message was sent to a number outside my country, but after checking the number I realized this number was not mine.

See the below screenshot from my account:

So I looked for the country code: this number - 420720001669 – is from Czech Republic. Searching for this number on the web revealed that avast is actually sending this message. First occurrence from here:

Même problème, je viens de voir sur mon suivi un SMS vers le 420720001669 facturé à 19cts envoyé le 27 aout.

Il me semble que ça coïncide avec l’installation d’Avast Anti-Theft qui a l’autorisation d’envoyer des SMS. Et comme de par hasard AVAST software est une compagnie Tchèque …

which translated would mean:

Same problem, I just saw on my monitor SMS to 420720001669 charged 19cts sent on August 27.

It seems to me that it coincides with the installation of Avast Anti-Theft that has permission to send SMS messages. And as coincidence AVAST Software is a Czech company …

Second result from here

Buenos días, esta mañana al consultar mi lista de llamadas me aparece lo siguiente:

24/08/2012 420720001669 ENVÍO SMS 08:12:02 1 MENSAJE

A esa hora no he enviado ningún SMS me pueden decir a q corresponde dicha numeración? El SMS tiene un coste de 60 cent.

.. and translated:

Good morning, this morning to check my call list I get the following:

08/24/2012 8:12:02 420 720 001 669 1 MESSAGE SENDING SMS

At this time I have not sent any SMS I can say that numbering corresponds aq? The SMS is charged at 60 cent.

Thank you.

There was even a result from Google Play store, but couldn’t find in full so here is the screenshot along with the translation:

September 4, 2012 – … took a printout of the operator found to send an SMS to number 420720001669, struck on the forums that this number was Avast …

To me it’s pretty clear that it’s Avast fault for this. There was only one message sent from my number, but I haven’t used their software for more than 3 days so I can’t say for sure if the message is sent each week for example. I’ll try to contact them and see what they have to say about this.

However, this is something that it shouldn’t happen at all.

In case you have noticed this behavior also, please leave a comment here.

This tweet came during a great speech of Behrang Fouladi at 44con conference regarding .NET smart cards. His research is great and I want to make it clear from the beginning that I appreciate his work. The only thing that I don’t like is that generally people are trying to make a mountain out of a molehill from the fact that SIM sends a message to the operator.

What is it about? SIM card has an app written on it and, when put into a different phone, it will automatically send a message to the operator informing it that now the customer uses another phone. Why this? Well the operator will automatically send you the MMS/Internet settings for this new phone so that you will not have to struggle with manual setup.

Where is the tracking? Or how can we think about tracking when you are actually using the operator’s network and that at anytime the operator knows where you are, with a few meters precision, specially in a big city where they have more BTSs?

Some said this is the first time someone discovers such SIM app. I disagree – I spoke about this exactly behavior last year, at DeepSec 2011 conference. I haven’t given too much attention to it as I am inside the operator’s network and the SIM is sent to a number belonging to the operator. Here is the proof that people should’ve already knew about it:

Automatic SMS – Deepsec 2011 from Msec Net on Vimeo.

What about the message that is being sent? What does it contain?
Before answering this, I have to make a note: it might be possible that in another country Orange SIM cards to send some more details, so I can’t certainly say that the info is incorrect. Last time I checked, one year ago, SIM card was sending the IMEI only. This morning I performed another trace to find out if anything changed, but it didn’t. Even if it might request for the Cell ID also, that information is not sent in this message.

Here is the SMS SUBMIT captured data

Here is the destination number to where the message was sent – this case 5692

Now here is the data inside it, containing the IMEI of my phone

In the worst case scenario we could think about this message as “tracker” if it was sent regularly, at specific time frames. But guess what - it isn’t! It is sent only when you turn on the phone and that’s it.  The good question is indeed why would the operator need this when they already know your phone’s IMEI, without making the SIM supply it in a message? I can only speculate on this, but I think the explanation is that a long time ago the operator asked for this as a convenience – maybe for law enforcements or not – in order to not search to deep in the log files.

Is this thing new?
You will actually be surprised to find out that it’s started back in 2005 – at least in Romania. Searching for that 5692 number on the web, I found an old topic from a Romanian forum which was discussing about this automatic message:

As you can see, the topic date is 26 December 2007!

Here are some excerpts from this topic, translated into English:

six: Why on the Orange network, when I put my SIM card in a new or different phone I get on my Nokia display a message saying “Allow SIM card to send message”?

ionut.tabacaru: Starting 2 years ago, all these SIM cards automatically send a message to Orange, to a free of charge number 5692

kaytar: 3 days ago I’be put my SIM card into a different phone and I’ve received a message saying that in a few moments I will receive the WAP/MMS settings … and indeed I did get them

andreic: I am curious to find out what this SMS does

mailman: It communicates that the phone has changed and the network sends you the connection details for wap, mms

If you don’t trust me, open the topic and use Google translate

Now about that “without your knowledge” thing. If you look closely on the above video you will notice that on Nokia phones you have the option to ask you about when the SIM cards wants to perform an action – you could allow it or not. Also during my presentation I said that these SIM toolkit messages generally inform the user by displaying “Sending message” info on the phone display. Not all phones can ask you if you allow the SIM to do that, but if you keep your eyes on the phone in the first few minutes after you turned it on, most probably you will notice this message being sent.

Finally I would like again to underline that I have nothing personal with Behrang, I appreciate all his findings, but this Orange SIM card tracker thing went a little bit too far.

Waiting for your comments

I have discovered a new vulnerability in the GSM network and I’m going to present it at EUSecWest which is held in Amsterdam, Netherlands on September 19/20. The presentation title is “Using HTTP headers pollution for mobile networks attacks” and basically I’m going to show how you could exploit the operator’s WAP homepage and perform attacks on a specific MSISDN.

There are also some other interesting talks, mostly on mobile security and let’s not forget about Mobile PWN2OWN.

So, if you want to find some new interesting things about mobile security,  then please register for EUSecWest!

See you in Amsterdam!

1. On phones with Android you should remove the STK.apk application – right, but what if your phone is not rooted? Also since I’m not much into software / programming, I really doubt this would work because you will indeed not be able to access the SIM Toolkit application from your phone, but that doesn’t mean that your phone won’t be able to process STK commands issued by your SIM card

2. On phones with Windows Mobile, remove the HKEY_CLASSES_ROOT\SimToolkit.UI from the registry – this was something that I spoke of, but again, like the Android case, your SIM card still initiates commands, even though you can’t access the applications stored

3. Ask your mobile operator to disable premium rate charging – although somehow it’s true as your operator can disable calling to such number, it can’t disable texting If you know such carrier, feel free to post a comment.

What else you should keep in mind is that the method used has to be convenient to everybody: people still want to use mobile banking, they still want to be able to check for the available credit from the Toolkit menu, they don’t want to jailbreak, root or cook their own ROM (this is for smartphones), not everyone holds a smartphone. Pretty tough to find a solution, right?

Well, not quite – I think the following solution is the most convenient as it takes care of most of the mentioned requirements.

So, in order to somehow protect from SIM Toolkit crafted SMS attack, just go to the settings of your messages, select the profile used for SMS and edit the message centre number by removing the last digit from it and save the settings (write down the full number first!). Pretty nice, right? So what have you just done? You have modified the number used by your phone in order to send messages. Yes, you still have access to the toolkit application, but you will not further be able to use any application that requires to send a message and also you will not be able to send any text messages anymore. However, receiving of SMS is not affected. Why to try the hard way – modify the entire software on your own – when there is a better and simpler solution?

Disclamer: I am NOT responsible in any way for any wrong functionality of your phone, so if you have no idea what you’re doing, it’s better to leave it that way.

Even with this solution, be careful of one important thing: some carriers are charging you even if the message was not actually delivered or you used a wrong message centre! Yes, you read that right: you could still be charged! The best way to test if your network operator does this is by using a prepay SIM with no credit on it, modify the message centre number and send a text message – your phone will inform you that it could not deliver the SMS. If you get back a message from the network saying that you don’t have enough funds, that’s bad: you will be charged anyway so you won’t be protected. Maybe you should switch to a different carrier?

I’m not saying that this method is the best, but it’s something it works in most of the cases. Let me know your findings.

I must say it was a real pleasure to attend the DeepSec 2011 edition. I’ve met a lot of interesting people and all the talks were great. Since it was my first time I held an international talk with such large audience, I was a little bit excited, but no matter what, I still consider I did a pretty good job. By now I only got positive feedback

To answer some of the frequently asked questions:

1. The attack I showed has nothing to do with knowing the security keys as the response to the command is being sent even if there’s an error

2. The live demo worked – too bad I didn’t have a webcam to show you the target phone

3. There was no planning on who should volunteer for the live demo

4. The number you’ve seen during the demo is not the real number (only the first 3 digits were) and also wasn’t charged with 5 EUR – all it was just for the fun of it

5. The quickest way to protect is to change your phone to one that asks for your permission before allowing the SIM card to do something, or switch to another operator that doesn’t provide SIM cards with Toolkit Application on them – in Austria it’s at least one, as well in Romania

6. Pay attention to dual-SIM phones: some of them are not showing you the extra-menu belonging to the SIM application, so don’t get comfortable thinking that you’re protected

7. I’m not a hacker / cracker how the media likes to call the security specialists most of the times. My purpose was to make you aware of the danger of just using something like SMS

I was happy that right after the talk I’ve been contacted by RIM in order to send them the details to fix this. It’s good to see that someone pays attention to these details. As long as they agree, I’ll keep you up to date with how the things are going.

Thank you Lynx, MiKa, Manuela for this opportunity! I’m pretty sure I’ll see you next year also I also hope that next year there will be more people from Romania in the audience.

Below it’s a recording of my talk SMS fuzzing, SIM Toolkit Attack – I hope you’ll ignore my excitement

The slides from the talk can be found here (click me).

I wait for your feedback!

KAFOS (Karadeniz Fiber Optik Sistemi – Black Sea Fibre Optic System) is a submarine telecommunications cable system in the Black Sea.

Cable Length: 538 km
Owners: Turk Telekom, Vivacom, Romtelecom, KPN, Telecom Italia Sparkle, Slovak Telekom, Rostelecom, BT

Landing Points

Igneada, Turkey
Istanbul, Turkey
Mangalia, Romania
Varna, Bulgaria
It has a transmission capacity of 622 Mbit/s, started operation on 13 June 1997.

If you want to see how the countries are connected via sea/ocean access http://www.submarinecablemap.com

Enjoy!

Landing Points

• Igneada, Turkey
• Istanbul, Turkey
• Mangalia, Romania
• Varna, Bulgaria

With no further comments, the new GlaDOSiri is here:

Today when I have checked my email, I got one with the following subject: Your Talk Has Been Accepted for DeepSec 2011.  I was (and still am) really happy to have such great news. I really can’t wait to go there and get the public reaction. You may see the preliminary schedule here and details about the talks here.

Of course, it wasn’t easy – it involved a lot of work and learning, but the most important secret is fun. The fun you have when you do something that you like, the fun you have when everyone else tells you that “this is not possible, you won’t get anywhere if you try it that way” but still you do it and find something wrong in the way that thing was built, the fun you have when you put passion.

I need to say a big THANK YOU to Tobias Engel from Chaos Computer Club who has pushed me into learning more about GSM security and gave me some tips&tricks about, along with encouraging me to write a research paper.

I won’t disclose yet what I’m going to present at DeepSec (though people who know me will find out easy), but it is tight to what Tobias discovered regarding the Curse of Silence