Thin SIM-based Attacks on Mobile Money Systems

Video thumbnail (Frame 0) Video thumbnail (Frame 802) Video thumbnail (Frame 1703) Video thumbnail (Frame 3927) Video thumbnail (Frame 8148) Video thumbnail (Frame 9523) Video thumbnail (Frame 11548) Video thumbnail (Frame 12767) Video thumbnail (Frame 13652) Video thumbnail (Frame 15889) Video thumbnail (Frame 18625) Video thumbnail (Frame 19598) Video thumbnail (Frame 20762) Video thumbnail (Frame 21798) Video thumbnail (Frame 23997) Video thumbnail (Frame 25785) Video thumbnail (Frame 27900) Video thumbnail (Frame 29139) Video thumbnail (Frame 29853) Video thumbnail (Frame 31352) Video thumbnail (Frame 33635) Video thumbnail (Frame 34680) Video thumbnail (Frame 36371) Video thumbnail (Frame 37497) Video thumbnail (Frame 38488) Video thumbnail (Frame 40085) Video thumbnail (Frame 40796) Video thumbnail (Frame 41849)
Video in TIB AV-Portal: Thin SIM-based Attacks on Mobile Money Systems

Formal Metadata

Thin SIM-based Attacks on Mobile Money Systems
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Phone-based mobile money is becoming the dominant paradigm for financial services in the developing world processing more than a billion dollars per day for over 690 million users. For example, mPesa has an annual cash flow of over thirty billion USD, equivalent to nearly half of Kenya's GDP. Numerous other products exist inside of nearly every other market, including GCash in the Philippines and easyPaisa in Pakistan. As a part of this growth, competitors have appeared who leverage ThinSIMS, small SIM card add ons, to provide alternative mobile money implementations without operating their own mobile networks. However, the security implications of ThinSIMs are not well understood. This talk dives into decade old telecom standards to explore how ThinSIMs work and what attackers of mobile money systems can do when they control the interface between the SIM card and the phone. We will also demo two proof of concept exploits that use ThinSIMs to steal money from mobile money platforms and detail the difficulties of defense.
Mobile Web Roundness (object) Multiplication sign Control flow Cartesian coordinate system Simulation Physical system
Mobile Web Source code Mobile app Simulation Chemical equation Structural load 1 (number) Plastikkarte Coma Berenices Heat transfer Average Cartesian coordinate system Planar graph Arithmetic mean Average Smartphone Form (programming) Asynchronous Transfer Mode
Gateway (telecommunications) Mobile app Game controller Server (computing) Identifiability Memory card Menu (computing) Interface (computing) Number Different (Kate Ryan album) Computer hardware Computing platform Form (programming) Mobile Web Authentication Area Source code Mobile app Simulation Standard deviation Touchscreen Interface (computing) Cellular automaton Point (geometry) Archaeological field survey Memory card Plastikkarte Bit Cartesian coordinate system Connected space Degree (graph theory) Software Integrated development environment Tower Charge carrier output Smartphone Computing platform Simulation
Dialect Dataflow Mobile app Service (economics) Dependent and independent variables Length Menu (computing) Number String (computer science) Encryption Software testing Message passing Directed graph Form (programming) Personal identification number Simulation Touchscreen File format Chemical equation Interface (computing) Plastikkarte Menu (computing) Cartesian coordinate system System call Type theory Message passing Database normalization Personal digital assistant Web service Interface (computing) Smartphone Simulation Data structure Row (database)
Simulation Touchscreen View (database) 1 (number) Plastikkarte Database transaction Menu (computing) Theory Field (computer science) Number Web service Sign (mathematics) Web service Right angle Software testing
Mobile app Functional (mathematics) Service (economics) Distribution (mathematics) Code Thermal expansion Plastikkarte Equivalence relation Code Akkumulator <Informatik> Term (mathematics) Charge carrier Maize Information security Form (programming) Mobile Web Mobile app Simulation Distribution (mathematics) Touchscreen Interface (computing) Chemical equation Memory card Shared memory Data storage device Plastikkarte Bit Cartesian coordinate system Arithmetic mean Process (computing) Software Personal digital assistant Function (mathematics) Charge carrier Text editor Resultant
Simulation Mobile app Personal identification number Term (mathematics) Plastikkarte Menu (computing) Diagram Cartesian coordinate system Simulation
Mobile Web Mobile app Dependent and independent variables Simulation View (database) Dependent and independent variables Menu (computing) Cartesian coordinate system Malware Message passing Different (Kate Ryan album) Phase transition Computing platform Software testing Data structure Simulation Sinc function Directed graph
Point (geometry) Personal identification number Simulation Mobile app Dependent and independent variables Demo (music) Phase transition Data storage device Plastikkarte
Personal identification number Slide rule Mobile app Personal identification number View (database) Numerical digit Ferry Corsten Chemical equation View (database) Chemical equation Menu (computing) Formal language Thomas Kuhn Mathematics Message passing Computer configuration Software Phase transition Web service Statement (computer science) Simulation Resultant Directed graph
Arithmetic mean Simulation Touchscreen Software Phase transition Demo (music) Phase transition Plastikkarte Mikroblog Hill differential equation Database transaction 2 (number)
Simulation Greatest element Personal identification number Length Chemical equation Plastikkarte Menu (computing) Cartesian coordinate system Database transaction Frame problem Mathematics Message passing Phase transition String (computer science) Videoconferencing Electronic visual display Statement (computer science) Message passing Data structure Directed graph
Personal identification number Simulation Demo (music) View (database) Multiplication sign Demo (music) Plastikkarte Login Message passing Phase transition Web service Hill differential equation Simulation Directed graph
Point (geometry) Demo (music) Electronic mailing list Database transaction Price index Disk read-and-write head Twitter Oval Phase transition Source code Location-based service Maize output Simulation
Game controller Simulation System call Plastikkarte Control flow System call Number Mechanism design Right angle Right angle Simulation Window Physical system
Laptop Game controller System call Hoax Open source Bit rate Database transaction Number Web service Phase transition Cuboid Module (mathematics) Installation art Pay television Simulation Software developer Cellular automaton Debugger Plastikkarte Database transaction Bit Line (geometry) Control flow Demoscene Social engineering (security) Message passing Software Tower Phase transition Routing
Point (geometry) Game controller Dialect Simulation Service (economics) Demo (music) Demo (music) Plastikkarte Database transaction System call Number Connected space Web service Message passing Software Phase transition Right angle Intercept theorem Error message
Type theory Duality (mathematics) Dialect Web service Hecke operator Chemical equation Chemical equation Hill differential equation Simulation Number
Personal identification number Web service Chemical equation Chemical equation 1 (number) Simulation
Personal identification number Simulation Demo (music) Chemical equation Transport Layer Security Demo (music) Mikroblog Database transaction Menu (computing) Cartesian coordinate system System call Symbol table Number Web service Arithmetic mean Personal digital assistant Phase transition String (computer science) Phase transition
Execution unit Simulation Computer configuration Demo (music) Phase transition Chemical equation Demo (music) Electronic visual display Cartesian coordinate system
Personal identification number Point (geometry) Personal identification number Chemical equation Phase transition Chemical equation Demo (music) Execution unit Bit
Reading (process) Trail Functional (mathematics) Game controller Mobile app Implementation Link (knot theory) Code Multiplication sign Demo (music) Facebook Web service Phase transition Authentication Simulation Dependent and independent variables Standard deviation Touchscreen Key (cryptography) Interface (computing) Memory card Interactive television Data storage device Code Plastikkarte Database transaction Price index Control flow System call Uniform resource locator Message passing Software Personal digital assistant Chain Order (biology) output Musical ensemble Electronic visual display Simulation
let's give Rowan a first time speaker a big round of applause hi so my name is Rowan I'm undergrad at the University of Washington and last summer I was doing research into using thin shims to break mobile money applications so first what are mobile money applications sir so if you've ever used
ven mode then you've probably used a mobile money applications the basic idea is you have a balance you can load money into by whether in it's usually some form of app then you can transfer that money to other people and make payments that through that way now the ones you've probably seen all run on smartphones but it's possible to run these things on the SIM card of a phone or over other means so they're actually very widely used so there's 700 and almost 700 million accounts worldwide Jonah's children's are 76 deployments in 90 countries and transfers there were a
billion dollars a day now a lot of these users don't transfer very much money though it's 198 a month which on average and that's because they would live in places where they don't make much money so these applications are very widely used in places like Africa and Southeast Asia for people who don't have access to banks and the reason why they'd be using this over banks is that banks are a lot
rarer and so here you can see there's roughly five hundred thousand banks in developing countries where is there's 2.2 million mobile money agents so and so all you need to be mobile money agent is just have phone and have access to cash so there's the infrastructure required is a lot lower so it's a lot easier to get access to it and so if you're a referral farmer and the nearest bank is a couple of villages away you probably would not have a bank account but a bank because it's going to take too long to get there and so you don't the way you could store your money is by trying to keep it safe somewhere so maybe bearing into the ground and that has its own issues like maybe you lose it gets stolen so mobile money is actually a really useful tool for these people to try and you more financially secure and so it doesn't only run over up over to smartphone apps the most popular interface is you SST I'll explain what that is later on then there's smartphone apps then there's some toolkit apps which run all the sim card and I'll explain those as well and then there's IVR so this is the the interface is offered by these platforms so most of them offer us SD so
this is the trade-offs between the different between the different forms of applications so you've got smartphone apps which everyone knows with smartphone app is it's got a very rich UI there's it's very easy to develop for this existing development environments it does not require any cooperation from the phone company you can just load an app on your phone start running it it needs a data connection which can be a bit difficult to get in some areas and also requires a smart phone of course which comes with its own host of issues which means you know then you have to have be able to charge it every day they're fragile if you break the screen that's a big problem so they're not so useful in these environments since most people also don't have smartphones because they cost money so then you have some toolkit apps now these run on any hardware so that's good they also don't require a data connection they usually use SMS as a backhaul - or is a connection back to the servers to make things happen they've got a menu best UI so it's visual it's does not it still requires some it requires a lot of cooperation the phone company though because the application needs to be on the SIM card so you also need a special SIM card that has the application pre-loaded and this can be difficult if for example you knock the phone company and trying to convince them to put the app on the phone and then this ussd which runs on any phone again it's built into the GSM standards it does not require any special SIM card it's got a very standardized UI it doesn't require data still requires carrier cooperation because the phone company has to set up the Gateway to allow your application actually run and give you a number people to call it does however it only provides a text-only interface the experience though people don't seem to care about this it's perfectly fun they don't mind using text only it's very fast they've figured out how to use it in a very fast and efficient manner so we all know that SIM cards are to some degree but just to go over it they identify using the network they can authenticate devices on network they can do call control which again I'll explain later and they can run the sim toolkit applications among other things so some talk sim toolkit applications run the sim card they consist of menus and input prompts they cannot also send SMS place calls get which cell tower you're talking to get the phone's IMEI I which is its equipment identifier and a few other things as well it's defined by a GSM standard as well so this is an example of what they look like someone's left you have a sim toolkit app running on a smart phone so you can see you've got menus you tap on a menu and then it might pop up a prompt to ask me for text and then alright you've got running on a feature phone or a basic phone and so then it's still a very similar UI except you just navigated with the keypad so
this is an example message flow from Mobile Money application it's a little modified that the idea still stands so what you can see is that Emme is mobile equipment so that's the users phone and the SIM card is the SIM card so what you can see is that all messages are always start from the phone and then get sent to the SIM card so here you can see the phone is telling the SIM card that someone entered into an application with this ID the SIM card then says great select an item from this menu the phone says here this is what they selected the SIM card then asks for the abusers pin user provides a pin SIM card will then go from connect to the network and make the payment go through in this case I it's just hand wavey but usually this is done through some form of encrypted SMS and then the SIM card will then display the balance user and the user will terminate the session so this is what
the messages look like to TLV so you've got the tag length of the body and then the values so it all it sim toolkit commands always start with the D 0 and then the length then you've got the command details tag so this will tell you what command you're trying the what command is being since then you got a device that empty tag which I feel it's a bit redundant because you can already figure that out from the command details tag but it basically just tells the phone where the message is coming from and where it's going and then you've got various tags associated with that type of message so you've got a text string tag this is just saying that they're trying this is just displaying its text on the screen basically so they've got us SD or unstructured supplementary services data so styled like a voice number no records are stored on the device however so while you would dial it with the same phone application that you would usually use to say call someone usually there's a call log associated with that so you can go back and see which numbers you've dialed before you SST doesn't have that so there's no way of going back and checking which which ussd numbers someone has dialed Rudd's text on the interface and here you can see it running on a smart phone this is an application we were using for testing so this is the format that
numbers are in so it always starts with a star and the numbers pound then a pound sign so the first one will just connect you straight to this service now if that well if you know the service always pops up the same menu when you get there and you know you want to enter in one in the first screen then you can actually just append star one to the number and then that means it'll enter in one of the first menu prompt and a skip straight to the second one assuming one is valid input for that and you can change this many layers deep as you want you'll get stuck though if you make a mistake and then it will repeatedly try the subsequent numbers on the same screen which can lead to unexpected behavior but you can chain it in as many layers deep so in theory you can do an entire transaction of going through many many screens just in one command and this is how most users end up using this service so now for thin Sims which is
what we were actually using in this to do these attacks so you can see they're very thin devices they go between the sim card on the phone I have some people wanna have a look at them later but currently hand them around so they've they fit any size SIM card so you can see we've got the ones on the left other ones that we were using for testing require cutting out the corner of the SIM card and as such they can under views with mini Sims the ones on the right you see they've got different they're much smaller and so they can work on both Nano and micro Sims as well as many sims so their field and so this
means anyone can install it you don't need specialized equipment it's kind of like a screen protector in terms of installation process for some then they contain all the functionality of a SIM card I mean they're just running codes so you can write anything you want onto it I they're free from carrier restrictions and therefore they allow third party applications this is also useful because the phone companies on the one putting it in you can put anything sim you want into your phone and then they can read and modify all the communication because between the sim card the phone because they're sitting on the interface so the original use case for these was cell phone unlocking so back when you had a lot GSM phone that was locked to a network you could put a thin sim into it and be able to use the thing and use the phone on any network which is very useful then they could the other use case we've seen is distribution of apps I'll talk about an example of that as well later on if you've got if for example your company trying to put an application both SIM card and the phone company doesn't want you to put it on then you can use a thin sim to get around that and finally there's the case of malicious installation so this would be most of these attacks involves to being able to steal money from over money applications so say you're a shopkeeper and you want to make a bit of money on the side you run a phone repair business and you're trying to make a bit more money you could put a thin sim in and be able to scrape bit of money off the top not recommending this by the way so let's look at em pacer so M pacer was founded by Safaricom in
2007 the original way it was founded actually was users had these recharge codes that would add balance into their account into their accounts and they would buy these codes and then send them around as as a form of payment so in exchange of services you would then send someone say a 10 recharge code they would they could then either apply to their account for a tenant for 10 of airtime or sell on to someone else and eventually someone might sell it back to the store keeper to a shop keeper who would sell to another user and so eventually Safari from was happening and realized they could make em pacer and which was the Mobile Money application and cut all this out of the loop and make it a lot more streamlined and safe for the users so today it transfers 24% of the Kenyan GDP each year so it's very widely used it's expanded to many other countries and editor it definitely runs over sim toolkit application it's not necessarily currently the primary way it runs but is definitely run over that in the past and so and then Equity Bank came along in 2015 so they wanted to run their own mobile money application and so they because they came along and they because they wanted more people be able to use it they couldn't run it on a smartphone hour so they needed to use either us st or a sim toolkit and whatever reason they decided to run as a sim toolkit application now unfortunately Safaricom had 80 or 90% of the market share and of course they didn't want to put a competing application onto their SIM cards so as a result they're forced Equity Bank to try and distribute their app as a thin sim so there's a court case about this with Farrakhan trying to stop them from doing this the court eventually allowed them to do it but there was very little no one really looked into the security implications of this so here you can see a phone with a
thin sim installed an app running on within Sims you notice that all the traffic goes from the phone to thin sim and never touch to the SIM card this is all fine no data is really at risk here then when you've got application on your
sim card however this diagram makes it look like the data is travelling from the phone to the SIM card but really what's happening is it's being sent from the phone to the thin sim the thin sim is then deciding to forward it on to the phone and then the on to the SIM card and then it can then the SIM card can process the data and send it back but the thin sim is processing all the data as that goes through so there's probably some fun things to be done here so what if it's what if this term is not friendly
what if there's some malicious code on it so there's a lot of things that can be the thinnest him can do let's just look at the first three eyford first attack so this is the ability to intercept modify and create some toolkit commands then view the response to those commands in plaintext and then the ability to send SMS messages without notifying the user so this attack was primarily
targeted at the EM pacer sim toolkit application because we needed a target platform we also did some testing in its air tell them it's some modifications just because it's got a different menu structure it would work against that as well and probably any other sim toolkit based mobile money platform so the attacks takes place in two phases you've got first we steal the credentials and then we actually make the fraudulent payments soap you've got the phone since
him and a SIM card so initially the there's a transparent the user is using the sim toolkit up and it's completely it's not clear at all this Simca thin sim installed they can't tell they're just using this the sim toolkit up on the sim card everything is normal eventually the sim to eventually the app will ask the user for a pin and at this point the thin sim will start listening then the user will respond with the pin and the thin sim stores response at this point the thin sim has stalled their credentials for later use and the user doesn't know anything about it so then we have demo
okay so this is me entering into the and
pacer app or so so first I check to see there's no so I'm just start this again
okay what I'm going to do is first check there's no verify there's no pin stored then entrance the end pacer app try and check my balance and then view the pin afterwards to show that it's captured now unfortunately Safaricom Sims if you don't use them for too long they become then no longer active and sir this one we didn't use so for too long and as a result it can't actually send SMS messages it but the attacks this still proves the first half of the attack so here I go and view the pin that is stored it says no pin is captured so then I go into the em pacer app navigate through some menus check the balance it then asks with pin says okay and then it fails to send the SMS because it's not active on network exit out view the pin and now we have the pin stored back to slides
okay so now for Phase two this is where
we actually go and make the fraudulent payment so again you've got the phone thin seam and the SIM card so first there's a status update now these status updates are sent roughly every 30 seconds from the phone to the SIM card we're just using this as a way to trigger the attack although it could be triggered through various other means so once the thin SIM decides it wants to start the attack and then begins a transaction begins a sim toolkit session with the sim card in this session it goes and sends all the data required to initiate a transaction the data sent is exactly the same data the SIM card would expect to see if the user was interacting with the SIM card eventually the SIM card will then try and contact the network this is via sending an SMS now usually this would pop up a notification on the screen however that would tell the users something bad has happened something weird is happening and they might be able to try and stop stop whatever's going on so let's see if there's a way around that so here you
can see this was taken one frame taken out of the previous video unfortunately if the sim card is active it would have been more obvious what was going on but here you can see that there is a message at the bottom is telling the user that the application is sending an SMS now the application can specify the string
so you've got the message that was actually sent either the SIM card sent to the phone to make this SMS happen so you've got all the stuff to start with the command details and the device ID underneath and then you've got this text string and this is what is actually displayed to the user and then that's followed by the SMS TPD due which is the body of the SMS and where it's going and all those boring things so how can we make this go away now you might think oh let's just remove the text string and maybe it will disappear well unfortunate that leaves it up to the phone to decide whether it wants to send display something to the user and most phones will display something to the user telling them that the SMS is being sent but however if you just give it a null string so just tell you've got a string of zero length nothing shows up and so then you can send an SMS without the user seeing anything so that's what we do so if we go right back the SIM card is trying to send a message the thin sim takes a message removes the bytes that would make something show up on the screen and replace it with a zero length string and then sends a silent SMS that doesn't show up to user so what
this looks like
so let's start again alright so what this looks like the user so it means it's verified we've got a pin stored and then we start the attack then the user won't see anything unfortunately because the SIM card is decide is not active it will still show the failed sent SMS but the other message didn't pop up and I had our time it's there in the it's there in the logs and the ability the ability to send silent messages is shown in another demo as well so that's that's the okay so at
this point we've successfully star trend done the transaction and there's no indication to use the money has gone anywhere or anything this happens really at all okay cool so let's go back to the
list of capabilities yeah so we've
already used the first three so let's look at the next two so the ability to log and redirect calls both the voice and your SSD and the ability to make USSD calls without notifying the user so this is done via called control so what call control is is whenever you dial a number to call on your phone first the phone will actually ask the SIM card so say you then ask the phone ask the SIM card hey can I call this number and a SIM card will respond yes sure here you go you can call the number however the phone the SIM card can also say no you can't call that number and just deny it outright or it can modify the call and say sure you can call a number but replace it with this one instead now instantly for voice calls depending on the phone this may or may not show up and the call log is being redirected on the Android phone we had it was shirt did shop is being redirected however on the feature phone we were testing on from 2005 was running some windows operating system it didn't show up and it's showed the original phone number so this doesn't sound too
bad right we can just it's just messing with what people calling but there's lots of fun things to be done with this sir because USSD is not usually tracked
maybe you're using a USSD service that you wouldn't want other people to know you're using whatever reason so if you had a thin sim installed that was looking at coal control it would then be able to see you calling which can then be used for advertising surveillance blackmail whatever you want it could also use the phishing attacks if you ever trying to set up a fake customer support line and trying to get someone to call it this makes it a lot easier you know you just make them call the original customer support number it redirects to your own number and then you can get away with whatever social engineering attacks you're trying to do you can also route all they call through some premium number and just make the phone bill go really high and charge them a lot of money that way of course would be a premium number you own so you get the money for it or you could redirect USSD calls let's see what happens if we do that so for the USSD attack takes place in two phases again you've got stealing credentials and making transactions however this requires attackers to set up their own USSD service which the other one didn't require the attackers set knitting up and depending on the country attack setting up a ussd service can be anywhere from easy to almost impossible for example in the US no one really uses ussd i've never seen any Giusti sessions the closest scene is for example of 18 t you dial star data pound and then we'll send you an SMS back with the data usage you've got for that month so this is the
setup we had so we've got laptop running the osmocon our network in a box which is assaults install software a cell tower software unfortunately nothing no out of the box sulfur and software I could find those open source had functioning USSD capabilities so we had to modify it a bit with various patches from various years and it worked in the end then we've got your sabi b210 which is actually the radio we're using then you can see what kind of phone sitting there with a development module thin SIM plagued into the back of it and then a debugger attached so I can view the the messages that are actually being sent between the phone and SIM card for debugging purposes so here you've got a
phone the two services you've got legitimate one that the user is trying to access the attacker service they've set up and then you've got the thin the thin sim and the SIM card as before so the first thing the user is going to try and do is they're going to try and dial the number of fourth legitimate service now this initiates call control so it then ask the the tries to ask the sim card cannot dial this number however because there's a thin sim installed the thin sim intercepts that and decides to redirect it somewhere else so the a then gets redirect as the attackers service now the attackers service will mimic all the menus for the legitimate service perfectly and so the user will go through all the menus are expecting to go through and enter in all the payment details have a right before the very end that would actually of the message right for the very end of the transaction would actually send the money the attack of service will return an error this because it can't actually make the transaction go through the user it would likely interpret this is some kind of network connectivity issue and try again later at which point it would go through with no issues so we have
demo of that as well
okay so in this summer I'm going to dial
the dial the number for our your ste service and it will redirect it to tacko service so now I'm dialing for
legitimate service it gets redirected without telling the user anything so we go through and then enter into check balance so we type 1 press ok so then ask him
our could try again later sir we exit out of this just meet that to try again I don't know why it takes so long to access the USS tea service it really shouldn't but it does Sam eager to whom we try and check the balance again so entering one's check balance again we go and enter in the pin
and now we actually have the balance so notice this is a 9001 so over 9000 all
right let's get back okay so that's the
demo face 1 so then in phase 2 we
actually go on try and steal money so again this is triggered through some means in this case we just triggered it through a menu item in the sim toolkit application however again it could be triggered through their status update or something if the like so first the thin symbol called the attacker service because it needs to get the pin back so we'll call the attacker service and get the retrieve the pin next it will so then it gets the pin back and then it will actually make the transaction so when it does here the strings together the entire command it would need to do so beast like star 1 2 3 star tooth make transactions star and then the destination phone number another star then the amount that trying to send star 1 4 confirm star and then the pin and then pound that's that's the string we we need for this service particular so
we have demo of that okay so going to
the sim toolkit application so we select send us esteem it waits a while because there's no it doesn't display to the user anything is happening usually it would but we've made it silent so now
let's go and check the path let's check the balance to see that we've actually since the money somewhere so now we go
through and actually go and check balance entering the pin again
and now the balance is much lower
this is sending a bit of a 600 current
units of currency somewhere to another account so at that point there's not
really a lot the user could do it the money's disappeared by the time they notice it's probably been shifted to another account or cashed out of the network so that there's no there's no method to recourse and customer service in these places often not so great so there's very little chance of users getting their money back so there are a
couple more capabilities I didn't really talk about there's the ability to track location updates so this is what tells how the user who's talking to you could make some like some snooping software the to track users doing that there's GSM authentication this is not really so much an attack but it's you can use it if you know the m-z of the device of another user and the key for the network you can then get pretend to be that user and then you can read any data off the SIM card including the MZ and the phonebook if that's stored there also in the GSM standards it allows phones to store SMS messages on the SIM card and in the case where that messages being stored on the SIM card the thin sim would be able to read those as well as they went past so let's look at some possible defenses now so you could disable call control this would get rid of all the call control based attacks as well as the ussd based attack because you simply if you can't redirect the call the attack is completely impossible however that requires modifying the phone standards and then updating all the phones which is not really going to happen because these use a lot of the users would be affected by this don't have data and if they have data they want to use it for Facebook and whatsapp that's what they can beautiful and so they're not consol apps though so they're not going to sew up dates it's not probably not pop necessarily password install a software update so the of the F of these devices well not all the companies that made the devices are even still around necessarily so then there's the ability to then disable him silent silent outgoing SMS and USSD this wouldn't actually prevent the attacks all that would do is prevent the notification was make it clear to the user that something bad is happening now again unfortunately this requires modifying the standard and has all the associated difficulties you could discourage the use by encouraging phone company is to put third-party apps onto their SIM cards this would then require a lot of cooperation from phone companies who may not want to cooperate and may have financial incentives not to cooperate in the case of impact in the case of Safaricom this would at least make some thin sims not normalized so if someone saw a thin sim at least then there'd be very suspicious of what's going on you could use confirmation code so first implicit uses T you could send the confirmation code step after the transaction has gone through then the user would have to enter in that confirmation code in order to verify the transaction and make it grow through this works great for phones where the SMS messages are not stored on the sim card if it's audible the sim card than thin sim has access to it and so this is completely useless in for those devices I don't know how many devices out there I have that functionality so I don't know either ussd you could require the use of the entry and confirmation value on the screen so this don't this doesn't work with sim toolkit because it would need to talk to the network but the essential idea is that once once you start the ussd session there's no indication the the sim card can't interact with it anymore so if the session completes and guess the end without having to require any more input the the sim card then get does get the response the final response to the sent back it needs more input it will then ask the user for it and there's a prompt that shows up so what this would mean is that the thin sim would not be able to completely predict the message that it would need to send and something would show up on the user's screen do it allow them to then deny the payment deny the transaction and stop anything bad from happening so this would be quite effective and finally you know it's a it's a plain text interface why can't we just encrypt it and well there is actually a standard for that however of course no one that's the standard that would be too sensible I yeah it's been around for many years but no there's no implementation of it so there's a link to the paper that I use that we've written for this as presented a conference in June and then this is a couple standards that there are does anyone have any questions yep Asura if you buy your own SIM card I mean you'd so as inferno for seeing those of the yeah I'm the thin get your SIM card would be very clear if there's a thin sim installed or not it's very obvious yeah however the interesting note it might be possible to can do all these attacks if you actually had software running on the SIM card itself sir if you had supply chain issues for example you might also not be safe yep the I don't believe it's possible get the key of the SIM card it was possible thin sim might be able to do it yeah it's not awesome we looked into cool thank you [Applause] [Music] [Applause]