|
Press Release Nov 14, 2004
Perfect SIM attack scenario for criminal organisations
A few lines of
code and one SMS message can terminate thousands of subscriber SIM
cards at the same time. This is what Riscure, an independent smart
card security lab, demonstrated at the Cartes Exhibition in Paris in
November this year.
Riscure demonstrated
how an attacker can remotely control and terminate SIM cards of
subscribers by sending a specific data-download SMS to the card.
Once terminated, the SIM card is useless and the customer is forced
to visit the nearest GSM shop to have his or her SIM swapped.
Most recent SIM cards
on the market are Java cards. Mobile telecom companies use the Java
technology on the card to offer extra functionality to their
subscribers via so-called applets. An applet is a small program on
the SIM card, usually consisting of about 2000 lines of code. The
extra functionality is used as a competitive advantage by the mobile
telecom company. Examples are electronic wallets, information on
demand services and games. A SIM applet (different from a handset
applet) can only be installed by the GSM operator, either at
personalisation of the card or remotely in the case of post-issuance
deployment.
The attack
implemented by Riscure is based on five lines of trojan code in an
otherwise valid Java applet. This causes the SIM card to listen for
incoming data messages with a specific code. Riscure showed at
Cartes that the incoming data message terminates the SIM card.
Alternative attack scenarios include the eavesdropping of sensitive
data. An example of this was also demonstrated: the subscriber is
presented with a regular looking “SIM error, please enter PIN code”
screen. When entered, the PIN code is sent to the attacker without
the subscriber realising that this happens.
According to Marc
Witteman, Technical Director at Riscure, the trojan code is so
compact that it is difficult to detect. “Over the past year, we have
seen several cases in which the applet of a small third party
application provider was implemented on millions of SIM cards
without any source code verification. One reason for this is that
application providers are usually not willing to share the source
code of their applet since they are concerned about a breach of
their Intellectual Property Rights. Fortunately, when implemented
correctly, the Java card technology offers very strong security in a
SIM card multi-application environment.”
In Riscure’s
experience with the banking industry, each applet on an EMV card is
evaluated against a specific set of rules by an independent security
specialist. Besides ensuring that the applet cannot be attacked by
other applets on the card, such an evaluation would also highlight
trojan code. The demonstration at Cartes showed that the impact of a
rogue applet has very large consequences to the card issuer.
Contact Person
Harko Robroch, +31 64843 2222 or
robroch@riscure.com
About Riscure
Riscure is a smart
card security evaluation company based in the Netherlands. Riscure
evaluates the security of smart cards and related systems for banks,
credit card companies, GSM operators, smart card manufacturers,
organisations deploying digital IDs and companies in the pay
television industry.
Riscure provides its
clients with smart card security services that fit their business
context. In our advice, we make sure that the business risk and next
steps are easily understood and that they are supported by strong
technical evidence.
Riscure
Radex Innovation Centre
Rotterdamseweg 183/C
2629HD Delft
The Netherlands
|
