UPDATE2: It was not the bug I was thinking of. After having a few communication messages with Avast, who actually were very helpful, I have to agree with them that this was NOT something they did on purpose – and I didn’t think so at all -  and also “it does not affect a lot of users as it requires special order of tasks to occur“. Indeed I was able to reproduce the bug by recording my steps and performing them on different devices. Maybe it was bad luck for me to discover these steps, but I am happy that I discovered the bug so that Avast’s customers will feel safer. Another thing I want to note is that Avast has issued a test update (only available to few until it will go into production), I applied the fix and I can confirm the issue is fixed now. Great work Avast! Really fast response and much interest showed in solving the problem.

A couple of days ago, I have installed on a test Android based phone the avast Mobile Security solution from Google Play – the free version. After a few days when this antivirus solution was turning on the WiFi or the mobile data plan by itself, during the night, I chose to uninstall it.

Now something new came to my attention: I was checking my balance on the phone and noticed that 0.12 EUR were missing. Hmm, maybe I have sent a message to some of my Roaming SIM cards. I logged on to my account to check why I have been billed. I noticed that indeed a message was sent to a number outside my country, but after checking the number I realized this number was not mine.

See the below screenshot from my account:

So I looked for the country code: this number - 420720001669 – is from Czech Republic. Searching for this number on the web revealed that avast is actually sending this message. First occurrence from here:

Même problème, je viens de voir sur mon suivi un SMS vers le 420720001669 facturé à 19cts envoyé le 27 aout.

Il me semble que ça coïncide avec l’installation d’Avast Anti-Theft qui a l’autorisation d’envoyer des SMS. Et comme de par hasard AVAST software est une compagnie Tchèque …

which translated would mean:

Same problem, I just saw on my monitor SMS to 420720001669 charged 19cts sent on August 27.

It seems to me that it coincides with the installation of Avast Anti-Theft that has permission to send SMS messages. And as coincidence AVAST Software is a Czech company …

Second result from here

Buenos días, esta mañana al consultar mi lista de llamadas me aparece lo siguiente:

24/08/2012 420720001669 ENVÍO SMS 08:12:02 1 MENSAJE

A esa hora no he enviado ningún SMS me pueden decir a q corresponde dicha numeración? El SMS tiene un coste de 60 cent.

.. and translated:

Good morning, this morning to check my call list I get the following:

08/24/2012 8:12:02 420 720 001 669 1 MESSAGE SENDING SMS

At this time I have not sent any SMS I can say that numbering corresponds aq? The SMS is charged at 60 cent.

Thank you.

There was even a result from Google Play store, but couldn’t find in full so here is the screenshot along with the translation:

September 4, 2012 – … took a printout of the operator found to send an SMS to number 420720001669, struck on the forums that this number was Avast …

To me it’s pretty clear that it’s Avast fault for this. There was only one message sent from my number, but I haven’t used their software for more than 3 days so I can’t say for sure if the message is sent each week for example. I’ll try to contact them and see what they have to say about this.

However, this is something that it shouldn’t happen at all.

In case you have noticed this behavior also, please leave a comment here.

This tweet came during a great speech of Behrang Fouladi at 44con conference regarding .NET smart cards. His research is great and I want to make it clear from the beginning that I appreciate his work. The only thing that I don’t like is that generally people are trying to make a mountain out of a molehill from the fact that SIM sends a message to the operator.

What is it about? SIM card has an app written on it and, when put into a different phone, it will automatically send a message to the operator informing it that now the customer uses another phone. Why this? Well the operator will automatically send you the MMS/Internet settings for this new phone so that you will not have to struggle with manual setup.

Where is the tracking? Or how can we think about tracking when you are actually using the operator’s network and that at anytime the operator knows where you are, with a few meters precision, specially in a big city where they have more BTSs?

Some said this is the first time someone discovers such SIM app. I disagree – I spoke about this exactly behavior last year, at DeepSec 2011 conference. I haven’t given too much attention to it as I am inside the operator’s network and the SIM is sent to a number belonging to the operator. Here is the proof that people should’ve already knew about it:

Automatic SMS – Deepsec 2011 from Msec Net on Vimeo.

What about the message that is being sent? What does it contain?
Before answering this, I have to make a note: it might be possible that in another country Orange SIM cards to send some more details, so I can’t certainly say that the info is incorrect. Last time I checked, one year ago, SIM card was sending the IMEI only. This morning I performed another trace to find out if anything changed, but it didn’t. Even if it might request for the Cell ID also, that information is not sent in this message.

Here is the SMS SUBMIT captured data

Here is the destination number to where the message was sent – this case 5692

Now here is the data inside it, containing the IMEI of my phone

In the worst case scenario we could think about this message as “tracker” if it was sent regularly, at specific time frames. But guess what - it isn’t! It is sent only when you turn on the phone and that’s it.  The good question is indeed why would the operator need this when they already know your phone’s IMEI, without making the SIM supply it in a message? I can only speculate on this, but I think the explanation is that a long time ago the operator asked for this as a convenience – maybe for law enforcements or not – in order to not search to deep in the log files.

Is this thing new?
You will actually be surprised to find out that it’s started back in 2005 – at least in Romania. Searching for that 5692 number on the web, I found an old topic from a Romanian forum which was discussing about this automatic message:

As you can see, the topic date is 26 December 2007!

Here are some excerpts from this topic, translated into English:

six: Why on the Orange network, when I put my SIM card in a new or different phone I get on my Nokia display a message saying “Allow SIM card to send message”?

ionut.tabacaru: Starting 2 years ago, all these SIM cards automatically send a message to Orange, to a free of charge number 5692

kaytar: 3 days ago I’be put my SIM card into a different phone and I’ve received a message saying that in a few moments I will receive the WAP/MMS settings … and indeed I did get them

andreic: I am curious to find out what this SMS does

mailman: It communicates that the phone has changed and the network sends you the connection details for wap, mms

If you don’t trust me, open the topic and use Google translate

Now about that “without your knowledge” thing. If you look closely on the above video you will notice that on Nokia phones you have the option to ask you about when the SIM cards wants to perform an action – you could allow it or not. Also during my presentation I said that these SIM toolkit messages generally inform the user by displaying “Sending message” info on the phone display. Not all phones can ask you if you allow the SIM to do that, but if you keep your eyes on the phone in the first few minutes after you turned it on, most probably you will notice this message being sent.

Finally I would like again to underline that I have nothing personal with Behrang, I appreciate all his findings, but this Orange SIM card tracker thing went a little bit too far.

Waiting for your comments

I must say it was a real pleasure to attend the DeepSec 2011 edition. I’ve met a lot of interesting people and all the talks were great. Since it was my first time I held an international talk with such large audience, I was a little bit excited, but no matter what, I still consider I did a pretty good job. By now I only got positive feedback

To answer some of the frequently asked questions:

1. The attack I showed has nothing to do with knowing the security keys as the response to the command is being sent even if there’s an error

2. The live demo worked – too bad I didn’t have a webcam to show you the target phone

3. There was no planning on who should volunteer for the live demo

4. The number you’ve seen during the demo is not the real number (only the first 3 digits were) and also wasn’t charged with 5 EUR – all it was just for the fun of it

5. The quickest way to protect is to change your phone to one that asks for your permission before allowing the SIM card to do something, or switch to another operator that doesn’t provide SIM cards with Toolkit Application on them – in Austria it’s at least one, as well in Romania

6. Pay attention to dual-SIM phones: some of them are not showing you the extra-menu belonging to the SIM application, so don’t get comfortable thinking that you’re protected

7. I’m not a hacker / cracker how the media likes to call the security specialists most of the times. My purpose was to make you aware of the danger of just using something like SMS

I was happy that right after the talk I’ve been contacted by RIM in order to send them the details to fix this. It’s good to see that someone pays attention to these details. As long as they agree, I’ll keep you up to date with how the things are going.

Thank you Lynx, MiKa, Manuela for this opportunity! I’m pretty sure I’ll see you next year also I also hope that next year there will be more people from Romania in the audience.

Below it’s a recording of my talk SMS fuzzing, SIM Toolkit Attack – I hope you’ll ignore my excitement

The slides from the talk can be found here (click me).

I wait for your feedback!

1. Regarding the wireless POS devices – that use a GPRS / EDGE connection – is there any security involved in sending data (is a secure data transfer between the device and bank)? If so, can you give me one example of a secure protocol you use?

2. What’s the mobile provider used by your devices?

Results can only worry you:

- for the first question, all of the banks replied saying that they can’t provide such information due to it’s confidential classification.

- for the second question, all of them just told me the operator used.

Why their reply came as a surprise to me is because I consider that the second question is something that the banks should not disclose at all. If someone finds a vulnerability in the mobile network of an operator, then it’s just a matter of seconds until you know the target. Not answering about if there is any security involved during the payment process makes you think if your payment is really secure. And it’s not even something confidential because PCI (Payment Card Industry) compliance is mandatory for merchants.

Considering that the GPRS is now broken, do you feel safe paying with your credit card since the bank has no interest in letting their customers know that payment is secure?

1. You call yourself “Carrefour“, you put up a marketing campaign and ask your customers to fill in a form where one of the fields is the Numerical Personal Code. Of course, you are not registered as a company who deals with private data (according to ANSPDCP‘s website). There are a lot of people out there that give their personal information just to get 10$.  I really wonder if it was to give their credit card info and PIN, would they really give it?

2. What about if you are a bank? Or a customer of a bank? Theoretically your private details like bank account, CNP, address, etc should be safe. Well…that’s the theory. There is one bank out there (you’ll discover the name below) that allows you to find protected info about any of its customers. Let’s say you have an i-banking account with them and you get the IBAN account of one of their customers. As soon as you try to make a money transfer to that person, you will get that person’s name. What’s wrong with that you will say. Well, you can just play around with the IBAN account and discover other valid accounts along with the holder’s name. Ok, I agree, maybe that’s not a serious security problem. Once you continue with the money transfer, you can see more: in the details of the transfer you also get the CNP of that someone. And yes, the bank is registered as a private company who deals with confidential data and obeys the law. Right!

See a demo for yourself. I have blurred some details, but that’s the only edit on the video.

A few months ago I was googleing a friend’s name in order to find his email address. While searching I got to a website which showed his address and telephone number. I was pretty surprised to see that and since the website had a search engine, I started to look for different persons – for some I got results. This was looking more and more interesting. I notice that there was also possible to create a test account with some free credits and with more search results. After waiting a day or so I finally got my account. Now the information I could find was astonishing. Not only I got the address and the phone, but also the Numerical Personal Code, what bank loans did they have (if any), how much they got ad so on.

As you can see all the information is there. For privacy reasons I have hidden the data. But from where such a website could get all that information? Is there someone freely submitting the information? The response came quickly:

I was WOW-ed. So our own government is publishing all these information to the public? What about data protection? What about privacy? It was kind of hard to believe, but after searching some published papers by the Romanian’s Official Journal I convinced myself of the reality.

After accessing the official published paper I could also find: address, the date when the ID card was issued, the issuer name, ID number, Numerical Personal Code. If this is published freely by the government, then what else could I ask to a private company? Luckily, I knew that there is also an agency which is taking care of such issues – ANSPDCP (hard to translate ). However, how could I contact the agency (which is controlled by the government) and ask them to remove such information?

All that Vrajitorul website does is to get this information and structure it in a way that you can easily find. BUT there is hope. In case your personal identification info is somewhere on a website, you can contact the owner of the website and kindly ask to remove all this information as they are breaking the personal data protection law and in case they will not do so, you will contact the ANSPDCP agency. My friend did this and all the data that the website had about him was removed the next day. I strongly suggest you to do the same.

Comments? Next time I’ll write about some private companies (including a bank) which have problems in protecting sensitive information about their customers.