Sunday, 21 April 2013

Secrets of the SIM

First project that I would like to share is regarding the SIM card's "secret" key derivation algorithm, the COMP128.

I was requested to put together a small presentation about the old GSM system's security at my former employer.

As I really hate presentations without any real hands on experience, I wanted to actually show the internal mechanisms of the SIM and the mobile phone as well as the base station's communication in the presentation  so I did a "quick" search (took two days) about the current situation of GSM related software and tools available to a simple person, that can be used to put together something interesting.

The results are a bit shocking... but in a good way :)

I will describe the mobile phone and the BTS emulation part later, since all of the information about them can be found on the Internet already.

To show the internal mechanisms of a SIM card as well as the communication between the SIM and the mobile phone, I found the following tools to be handy:

1. SimTrace
This little hardware is awesome!!! It sniffs the communication between the SIM and the telephone and integrates into Wireshark with a normal dissector for parsing the raw data, so you are able to see what goes on the wire on-the-fly.

2. A programmable SIM card
This programmable SIM can be used like a standard SIM but you can actually change the master key (Ki) used for key derivation. Also it can switch the used derivation algorithms (COMP128 v1/v2/v3), which is really handy.

And that's it for tools. For the next step to put this part of the presentation together I had to refresh my memory about how the authentication and encryption is carried out in GSM. Wikipedia and Google is here to help as always.

Security features in GSM in a nutshell:
1. Challenge-Response Authentication
2. Symmetric encryption (A5)

The common secret is a 16 byte number stored in the SIM card and also it's stored at the respective mobile operator, it is called "Ki". Since the SIM is a smartcard, it is considered secure and we all hope that our mobile operator is storing it in a real secure way also :).
(otherwise every call and data could be decrypted if it falls in the wrong hands)

GSM authentication

1. The base station sends a 16 byte random number RAND (I'm really curious if it's really random...)
2. The SIM card gets this RAND and uses the Ki (the secret number) to feed the A3A8 (other name is COMP128) algorithm. The output is a 12 byte long number, call it OUTPUT.
3. The OUTPUT is split into two parts, the upper 4 byte is called the SRES the lower 8 byte is the Kc.
4. The SRES will be sent back to the base station as the authentication response.
----
on the other end of the line, the mobile operator does that same algorithm, because he knows our key (Ki), he will calculate the SRES and the Kc. If the mobile operator's SRES matches the SRES we sent back, then we are authenticated on the network
-----
5. The Kc is sent to the mobile phone from the SIM card. It will be used as the encryption key for the A5 algorithm (not discussed here)

Key derivation


Using SIMTrace and Wireshark, we can see that the mobile phone sends only one command to the SIM card together with the RAND, and the card sends back the SRES+KC bytes. This can be observed in plain text :)

The big question remained, that how does exactly the COMP128 algorithm work?

After some searching I found that there are three versions of the COMP128, but only the first one could be found available for everyone.
--------------------
A little history: after version 1 of the COMP128 got published it turned out that from observing the input and the output of the algorithm for several inputs, one can easily recover the secret key Ki. This means SIM card cloning! And also means, that if someone previously "checked" your sim card before you obtained it from the shop or from your company, he will know the secret key so if he manages to sniff your calls over the air, he will be able to decrypt the communication without much effort. So far only version 1 is known to be weak against this birthday-paradox based attack,and this is why it's not used any more (discontinued in 2002).
Since version 2&3 have not been officially published (again I have not found any publication of it so far), excessive cryptanalysis probably have not been carried out on it (khmm.... just saying...)
--------------------

It seems that version 2 and 3 has not been published yet, or I was looking on the wrong Google?
So I kinda became frustrated that this presentation will be a bit incomplete, so I decided to dig a bit further. Luckily I "found" a test software used for SIM card compliance checks, which had the feature to check the version 2 & 3 of the algorithm also! Only one thing was left, reverse engineer the software to get to know the actual algorithm and then check against a valid implementation to be sure -remember the programmable SIM card I mentioned? :).

Using IDA I was able to recover the two algorithms from the software and implemented them to pure python. (Have I mentioned that I love Python?) It took some time, but I think it was a really good opportunity to learn a bit more about IDA :)

The testing part almost took the same time as the reverse engineering, because the command to change the algorithm of the programmable SIM was not working as described in the documentation -if we can call that poorly written nothing documentation- (I'll post the working command but right now I don't know where I have put it)
For this, I have written a small python script to load a key into the programmable SIM, generate 1024  random 16 byte long RAND number, then send it as the argument of the AUTH command, and store the response. (doing this to both v2 and v3 is like a little brute forcing huh?) Another script was responsible to cross check the results from the SIM with the result from the python script. No errors were found :) This however doesn't mean that my implementation of the COMP128v2 and v3 is perfect and completely following the standard (as this part of the standard is not published as far as I know), so please check it yourself and let me know the details.

Some words about the COMP128.
In v1 and v2 the last byte of the Kc was always 0x00, and the byte before the last was guessable -could only be 4 different value if I remember correctly,   This means that the key used to encrypt your communication was weakened on purpose. In v3 this "limitation" was finally removed, but that doesn't help much to increase the security since the encryption algorithm used in GSM communication (A5) is officially broken. If you want security switch to 3G, the algorithms used for encryption and authentication there are public and so far there are not publicly known weakness in them (as far as I'm aware)

I hope by sharing this algorithm I help everyone who wants to know how the SIM card works to get a better understanding. I was thinking about implementing this algorithm into a Java card thus creating programmable SIMs, or using it as a software emulated SIM solution to test some weaknesses in the GSM network but so far I have a lot of work to do, If someone will do this please drop me a mail :)

Implementation and some test vectors -not a well defined test vector set I know-:
comp128.7z


Thank you for reading!

p.s.: this is my first blog ever, suggestions how to do it better are always welcome

39 comments:

  1. Hi
    in the file is only comp128v2 could you make the comp128v3 and comp128v1 to compare a sim card that i have.
    i want to try something
    thanks

    ReplyDelete
    Replies
    1. Sorry for the late reply.
      If you look carefully you will find that version 3 is also included in the script :)
      Version 1 is all over the internet, it has been published in 1998. But here is a link:
      http://cgit.osmocom.org/osmocom-bb/plain/src/shared/libosmocore/src/comp128.c?h=prom/dietlibc

      Delete
    2. Stolan Credit cards world wide"Spamming tools"Carding Tools :"Virus/Rate
      "private Scanner tools"privet online services.
      As per clinet demand
      world wid hacking tools & sevices avilable
      Contact us :

      hang out: hackitbackd00r@gmail.com
      yahoo IMI: hackitbackdoor@yahoo.com
      skype:rushr00t
      website : https://hackersleaked.blogspot.com

      Delete
  2. hi m working over a project OPEN BTS IN GSM and so i want to kno how to work for obtaining imsi of a sim or should i use programmable sim...if so then how can i program it

    ReplyDelete
    Replies
    1. Hello. The easiest way is to sniff the data between the SIM card and the mobile phone while you turning it on.
      You can use this : http://bb.osmocom.org/trac/wiki/SIMtrace/Hardware

      You will have to use a programmable sim card eventually for testing.

      Delete
  3. Hi
    May I know how to find out the type of encryption algorithm which is used in SIM cards

    ReplyDelete
    Replies
    1. It will not be hundred percent true, but something like this:
      1. COMP128v1 is not used anymore, so you will probably never encounter it. 2. COMP128v2 generated Kc last byte always 0x00 3. COMP128v3 the last byte can by anything.
      After 1 or 2 challgenge-response requests you will be able to tell the version.

      Delete

    2. leaked for interested people (worldwide hacking stuff its depend on your plane what you got form hackers )
      verified sellers . over here
      stolen credit cards.(Fresh fullz random world wide is here now)
      carding tools.(RDP: 15$ world wide|HMA: 25$ unlimited|Vip72 unlimited)
      (card validator|wu Java bypass Script|)
      Virus/Rate:(relesed 2015 zeus|relesedkey loger|ninja Rat|cidital)
      Western Union transfer.
      skype : suzi.maan1
      yahoo IMI : suzimaan@yahoo.com
      Hang out : suzimaan@gmail.com
      WEB:https://hackersfourzerofour.blogspot.com

      Delete
  4. Dear H.P.,
    Your article is really interesting, and your skills and commitment to understand SIM technology is impressive.
    Although I would like to discuss this (or other) theme with you, I pretty much an ignorant in these matters.
    Nevertheless, congratulations.

    ReplyDelete
  5. it's very interesting.. anyway, I don't understand a thing :
    The sim card that contain algorithm v2 or next, the input for authentication on the sim card is the same?
    in other words
    step 1. sendToSim("AUTH",RAND)
    step 2. receveFromSim(SREQ,Kc)

    ReplyDelete
    Replies
    1. Yes, it's the same on all three versions of COMP128

      Delete
  6. Excellent work.

    I hope you don't mind, but i've done a C port of your algorithm and Comp128-1. They're available here:
    https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_eap/libeap/comp128.c

    This now allows FreeRADIUS to act as an AuC for EAP-SIM authentication which is pretty neat.

    I couldn't see a license attached to your original code. It'd help us (the FreeRADIUS project), if you released your code under something like GPLv2 so there are no legal issues later down the road.

    Of course if you don't want your code redistributed in the form (above), i'll remove it from our repository.

    I've credited your website (hackingprojects.net) as being the original author. If you'd like your real name and email address listed there instead, don't hesitate to contact me (just send me a message on Google+).

    If you happen to have a document which describes Comp128-4, that'd also be very useful as it'd allow us to implement support for that also.

    Anyway, thanks again for this excellent work.

    ReplyDelete
    Replies
    1. I have posted the code for anyone to use. I'm happy for it to have landed in a project such as yours :) I believe COMP128-4 is still under development, therefore nothing to hack on it so far.

      Delete
    2. Also, I give up on Google+... can we discuss things in mail?

      Delete
    3. Sure a.cudbardb@freeradius.org

      Delete
  7. Great article. You mention in it that you worked out the command sequence to get the sysmocom grcard working. Is there any chance you can post that info? I know it would same many of us a lot of time since the documentation sysmocom has available is pretty thin.

    Thanks in advance.

    ReplyDelete
    Replies
    1. If it's still an open issue, drop me a mail. I wanted to create a new post on the technical howto, but I did not have time for that :( I still have the Python scripts somewhere...

      Delete
  8. thanks for the Article its very useful

    ReplyDelete
  9. Hello,very nice article,congratulations,can I email you?

    ReplyDelete
    Replies
    1. Sure, hackingprojectsblog at gmail.com

      Delete
  10. Is it possible to make this into an application that could be used with a card reader? I have an old card reader lying around and was hoping to put it to use.

    ReplyDelete
    Replies
    1. I don't understand the question. This algorithm should be generating the responses.
      For communicating with the sim card, a generic card reader can be used.

      Delete
  11. Great stuff. I would like to use it in my pyprotosim tool (see http://sourceforge.net/projects/pyprotosim/?source=directory)
    You will be credited and your site linked.

    ReplyDelete
    Replies
    1. Sure, go ahead. For creadits, please drop me a mail at hackingprojectsblog at gmail.com

      Delete
  12. hi. i need to copy some contacts from indian sim card if some one can do it please contact me at amarjit999@gmail.com i can pay for it

    ReplyDelete
  13. Hello,

    Great article ... did you make any progress since then ?!

    Thanks and keep going

    ReplyDelete
  14. Interesting article. COMP 128/1 /2 and /3 have been designed by the GSMA and the specs are supposed to be confidential. To get them you're supposed to sign a NDA with the GSMA.
    To be honest with you, COMP isn't used anymore, it was too weak and too easy to clone a SIM card. since the emergence of 3G, a new algorythm has come named Milenage. It is described in the the spec 3GPP TS 55.205 and far more difficult to crack. So far, I didn't hear that it has been cracked.

    ReplyDelete
  15. Please send me the SimTrace software download link

    ReplyDelete
  16. How can i initiate a Tandem Free Operation-TFO on mobile phone?
    I want to do this on GSM Phone.
    Any idea regarding this?

    ReplyDelete
  17. great information.cash on delivery is best and safe payment method.You can get the products very cheap form
    Sony Ericsson
    mobile
    review

    ReplyDelete
  18. Thank you very mush for this advantageous work.
    However, because of these weaknesses in encryption based methods, wireless physical layer security is emerging in the research community of wireless systems as a new, promising way of perfectly securing your communication without using shared secret keys.

    ReplyDelete
  19. Selling good and fresh cvv fullz track 1 and 2 bank login bank transfer writing check

    Sell CVV Good - Dumps TRACK 1&2 - Bank Login - Acc PayPal - WU Transfer - Ship

    Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit card topup

    Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit card topup...Paypal transfer,

    Selling good and fresh cvv fullz track 1 and 2 bank login bank transfer writing check

    Selling good and fresh cvv fullz track 1 and 2 bank login bank

    transfer writing checks transfer to cc ...

    Sell Fresh CVV - Western Union Transfer - Bank Login - Card Dumps - Paypal - Ship

    Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit card topup...Paypal transfer, Mailer,Smtp,western union login,

    Book Flight Online

    SELL CVV GOOD And HACKER BIG CVV GOOD Credit Card

    Fresh Cards. Selling Dumps, Cvvs, Fullz.Tickets,Hotels,Credit cardReported


    Sell Cvv(cc) - Wu Transfer - Card Dumps - Bank login/paypal



    contact me : gmail: shabz641@gmail.com
    yahoo : westernunionhacker@yahoo.com
    skype: leads_provider


    - I have account paypal with good balance

    - I hope u good customers and will be long-term cooperation

    ---- List cc and my price---------

    - Us (Visa,Master) = 4$ per 1

    - Us (Amex,Dis) = 6$ per 1

    - Us Bin 10$ , US Dob 15$

    - Us fullz info = 25$ per 1
    --------------------------------
    - Uk (Visa,Master) = 10$ per 1

    - Uk (Amex,Dis) = 12$ per 1

    - Uk Bin 15$ , UK Dob 20$

    - Uk fullz info = 30$ per 1
    --------------------------------
    - Ca (Visa,Master) = 10$ per 1

    - Ca (Amex,Dis) = 12$ per 1

    - Ca Bin 15$ , CA Dob 20$

    - Ca fullz info = 30$ per 1
    --------------------------------
    - Au (Visa,Master) = 12$ per 1

    - Au (Amex,Dis) = 15$ per 1

    - Au Bin 17$ , AU Dob 20$

    - Au fullz info = 30$ per 1
    --------------------------------
    - Eu (Visa,Master) = 20$ per 1

    - Eu (Amex,Dis) = 23$ per 1

    - Eu Bin 25$ , AU Dob 30$

    - Eu fullz info = 40$ per 1
    --------------------------------
    - RDP = 20$

    - SMTP = 25$ ( All Country )

    - Italy = 20$ per 1 (fullz info = 35$)

    - Spain = 20$ per 1 (fullz info = 35$)

    - Denmark = 25$ per1 (fullz info = 35$)

    - Sweden = 20$ per 1 (fullz info = 35$)

    - France = 20$ per 1 (fullz info = 35$)

    - Germany = 20$ per 1 (fullz info = 35$)

    - Ireland = 20$ per 1 (fullz info = 35$)

    - Mexico = 15$ per 1 (fullz info = 30$)

    - Asia = 15$ per 1 (fullz info = 30$)


    Prices WesternUnion Online Transfer


    -Transfer(Eu,Uk,Asia,Canada,Us,France,Germany,Italy and very

    easy to do African)

    - 200$ = 1500$ (MTCN and sender name + country sender)

    - 250$ = 4000$ (MTCN and sender name + country sender)

    - 400$ = 6000$ (MTCN and sender name + country sender)

    - 500$ = 8000$ (MTCN and sender name + country sender)

    Then i will do transfer's for you, After about 30 mins you'll have

    MTCN and sender name + country sender

    - With Dumps

    - Tracks 1&2 US = 85$ per 1

    - Tracks 1&2 UK = 100$ per 1

    - Tracks 1&2 CA / AU = 110$ per 1

    - Tracks 1&2 EU = 120$ per 1


    Bank Logins Prices US UK CA AU EU


    - Bank Us : ( HALIFAX,BOA,CHASE,Wells Fargo...)

    . Balance 5000$ = 250$

    . Balance 8000$ = 400$

    . Balance 12000$ = 600$

    . Balance 15000$ = 800$

    . Balance 20000$ = 1000$

    - Bank UK : ( LLOYDS TSB,BARCLAYS,Standard Chartered,HSBC...)

    . Balance 5000 GBP = 300$

    . Balance 12000 GBP = 600$

    . Balance 16000 GBP = 700$

    . Balance 20000 GBP = 1000$

    . Balance 30000 GBP = 1200$

    ATM SKIMMERS PRICE LIST

    _WIncor with keypad 700usd

    _ATM Skimmer Wincor Nixdorf : 1200$

    _ATM Skimmer Wincor : 1200$

    _ATM Skimmer Slimm : 1200$

    _ATM Skimmer Slim : 1200$

    _ATM Skimmer NCR : 1200$

    _ATM Skimmer Diebold Opteva : 1000$

    _ATM Skimmer Diebold : 800$

    _ATM Skimmer Small : 1200$

    _Chip POS ingenico&amigo; : 700$


    CONTACT ME ON MY FOLLOWING ID

    contact me : gmail: shabz641@gmail.com
    yahoo : westernunionhacker@yahoo.com
    skype: leads_provider


    I ACCEPT ONLY: WESTERN UNION - MONEY GRAM - PM-BTC

    ReplyDelete
  20. i will help u and solve ur all problems regarding bank transfers..n show u some proofs then make a deal with us.. I do western union..minimum 1000$ n maximum 10,000$ (50-50)...any uk bank transfer..ship to any country safe and secure...jst contact me tesladavid0@gmail.com

    ReplyDelete
  21. http://vaaiibhav.me/category/tuts/electronics/embedded/

    ReplyDelete
  22. You are welcome to the wonder land of hacks, want to know how to hack an ATM MACHINE OR BANK ACCOUNT? You can hack and break into a bank's security without carrying guns or any weapon.
    We are universal hackers and we just succeeded with an illegal invention.. well, this seems strange but true.. we just succeeded with hacking universal ATM machines with a blank ATM card.. These cards could withdraw $5000 per day, each of the card can only be useless once you withdrew the total amount of $10 Million United State Dollars. The card will make the security camera malfunction at that particular time until you are done with the transaction you can never be traced.. depending on how they are programmed..say goodbye to poverty, these cards are just for you.we know this is illegal but we are living large with it i do many things on low key to avoid suspicion.i am not going to give out the blank cards for free because we spent most of our time hacking it. so, we want to make them available for you. NOTE: The ATM cards has no registered account number, they can work anywhere in the world, and they are untraceable.We are currently selling this black card at a give away price of $120 to serious minded people. If you need this card, contact me with this email: info.hackcreditcard@gmail.com

    ReplyDelete
  23. Greetings -

    Sysmocom states that you need both the Ki and OPC to crack the SIM. I noted your excellent blog above that you need both RAND and Ki, but can only generate 1024 RAND; Ki needs to be obtainable. Thoughts? Unless I missed it.

    ReplyDelete
  24. Become rich today and take the risk of transforming your own life.Try and get a blank ATM card today from (MR Robinson) and be among the lucky ones who
    are benefiting from this cards. This PROGRAMMED blank ATM card is capable of hacking into any ATM machine and anywhere in the world and it can't be traced.
    I got to know about this BLANK ATM CARD when I was searching for job online about a month ago.It has really changed my life for good and now I can say I'm rich all Thanks to Mr Robinson.With this blanked ATM card you can withdraw the maximum of $1000 daily and i have withdraw $50,000 for a month now this is my way of
    thanking Mr Robinson for all he has done for me contact him at robinsonblankatmhackers@outlook.com and get yours now.

    ReplyDelete