The GSM Ciphering Indicator

Write an application that present the current ciphering status. (Easy) Write an application that hijacks the baseband processor (modem)

SIM binary-code (in the firmware) to force-enable CI and possibly

also the use of A5/3. (Hard) Make and use a copy of your SIM card that has CI enabled. (Hard) Lobby your cellular service provider to always use A5/3 ciphering. (Hard)

(A5/1 was never used and A5/2 can be cracked on-the-fly!) Force Google to fix the issue! This is hard, since the issue is

already >2 years old at "medium priority", and in addition it

does not resolve the service provider disabled CI in their SIM

cards.

Code: EF - Elementary Files AD - Administrative (Data) Field BCD - Binary-Coded Decimal (compressed) CHV - Card Holder Verification (usually your SIM code) TLV - Tag, Length, Value BER-TLV - Object that conform to the Basic Encoding Rules (BER) RFU - Reserved for Future Use

Background:

[1] § B.1.26 Ciphering Indicator

[3] Ciphering Indicator in mobile phones

[4] § 10.2.18 The SIM Administrative Data field

Code: ----------------------------------------------------------- Name: EFAD (Administrative Data) Identifier: '6FAD' (28589) File size: 3+X bytes ----------------------------------------------------------- Byte Description ----------------------------------------------------------- 1 UE operation mode 2-3 Additional information (incl. cipher indication) 4 Length of MNC of IMSI 5-X RFU ----------------------------------------------------------- UE Operation Mode: (byte 1) ----------------------------------------------------------- This is the mode of operation for the MS. Coding: (Initial value) '00' - normal operation '80' - type approval operations '01' - normal operation + specific facilities '81' - type approval operations + specific facilities '02' - maintenance (off line) '04' - cell test operation NOTE: All other values are RFU (reserved for future) use ----------------------------------------------------------- Additional Information: (byte 2-3) ----------------------------------------------------------- Coding: - Specific facilities code (if b1=1 in byte 1); - ME manufacturer specific information (if b2=1 in byte 1). Ciphering indication is enabled by enabling both the specific facilities bit (b1) in byte-1 AND the cipher indicator bit (b1) in byte-3. Thus the administrative data field has to be: Byte-1: 0x01 0000 0001 Byte-2: 0x00 0000 0000 Byte-3: 0x01 0000 0001 Byte-4: 0x02/3 0000 001x ----------------------------------------------------------- Length of MNC in the IMSI: (byte 4) ----------------------------------------------------------- The length indicator refers to the number of digits, used for extracting the MNC from the IMSI. This value codes the number of digits of the MNC in the IMSI. Only the values (b1-b2) '0010' and '0011' are currently specified, all other values are reserved for future use. ----------------------------------------------------------- Relevant Documents: TS 22.101 TS 31.102 TS 33.102 -----------------------------------------------------------

How to read the Ciphering Indicator in your SIM

If you know of any equivalent or valid AOS API call for reading

this type of SIM data, please let us know!

Code: AT+CRSM=<command>[,<fileid> [,<P1>,<P2>,<P3> [,<data> [,<pathid>]]]] <command> This is the operation to be performed: 176 READ BINARY 178 READ RECORD 192 GET RESPONSE 214 UPDATE BINARY 220 UPDATE RECORD 242 STATUS <fileid> This is an integer which is the identifier of a elementary datafile (EF) on SIM. Mandatory for every command except STATUS and may be e.g.: Hex Dec File --------------------- 6F37 28471 ACMmax 6F07 28423 IMSI 6F39 28473 ACM 6F41 28481 PUKT 6F42 28482 SMS Structure: [CLA INS P1 P2 P3 Data] The bytes have the following meaning: CLA Is the class of instruction (ISO/IEC 7816-3 [25]), 'A0' is used in the GSM application; INS Is the instruction code (ISO/IEC 7816-3 [25]) as defined in this subclause for each command; P1, P2, P3 Are parameters for the instruction. They are specified in table 9. 'FF' is a valid value for P1, P2 and P3. P3 gives the length of the data element. P3='00' introduces a 256 byte data transfer from the SIM in an outgoing data transfer command (response direction). In an ingoing data transfer command (command direction), P3='00' introduces no transfer of data. SW1 and SW2 Are the Status Words indicating the successful or unsuccessful outcome of the command. ------------------------------------------------------------------------------- Dec. <sw1> <sw2> Description ------------------------------------------------------------------------------- 144 0x90 0x00 normal entry of the command, indicating OK 103 0x67 0xXX incorrect parameter P3 0x6B 0xXX incorrect parameter P1 or P2 0x6D 0xXX unknown instruction code given in the command 0x6E 0xXX wrong instruction class given in the command 0x6F 0xXX technical problem with no diagnostic given 0x9F 0xXX length XX of the response data 0x92 0x0X update successful but after using an internal retry routine X times 0x92 0x40 memory problem 0x94 0x00 no EF selected 0x94 0x02 out of range (invalid address) 0x94 0x04 file ID not found; pattern not found 0x94 0x08 file is inconsistent with the command 0x98 0x02 no CHV initialized 0x98 0x04 Access condition not fullfiled / unsucc. CHV verify / authent.failed 0x98 0x08 in contradiction with CHV status 0x98 0x10 in contradiction with invalidation status 0x98 0x40 Unsuccessful CHV-verification. Or UNBLOCK CHF / CHV blocked /UNBL.blocked 0x98 0x50 Increase cannot be performed. Max. value reached -------------------------------------------------------------------------------

Reading the AD field (containing cipher indication)

Code: AT+CRSM=176,28589,0,0,3 +CRSM: 144,0,"000000" ==> Bytes: 1-3 = 00,00,00 byte1: "MS operation mode" byte2: "Specific facilities" B1 byte3: "Specific facilities" B2 (+ cipher indication) ==> Ciphering indication is disabled Note: a response like this "+CRSM: 103,3" indicates that there is a problem with P3 and that the value for P3 should be 3.

How to write AD and enable the Cipher Indicator in your SIM

Code: AT+CRSM=214,28589,0,0,3,"010001"

Code: AT+CRSM=214,28589,0,0,3,"100010"

According to the 3GPP GSM standards/specifications [1] for handsets,there should be a Ciphering Indicator (CI) showing the user when theGSM phone/data connection is not using encryption. Unfortunately formany people in the rest of the world, this feature have not beenproperly (if at all) implemented in the Android OS, AFAIK [2]. Thesecond culprit is the fact that your cellular service provider havedisabled showing this CI on the vast majority of SIM cards issuedaround the world.The only options for circumventing these privacy problems are:As you can see the issue at hand does not look to be resolvedanytime soon. So I lobby for () or (). But to do that we needsome background knowledge. Then I will show you how to read theCI setting from your SIM card. Then we will figure out how towrite such an application![1] 3GPP GSM 02.07: http://www.3gpp.org/ftp/Specs/archiv...7/0207-710.zip [2] Android Issue 5353: https://code.google.com/p/android/issues/detail?id=5353 [3] Dieter Spaar's Blog: http://www.mirider.com/weblog/2010/0...ring_indicator [4] 3GPP GSM 11.11: ???The ciphering indicator feature allows the ME to detect thatciphering is not switched on and to indicate this to the user,as defined in GSM 02.09.The ciphering indicator feature may be disabled by the home networkoperator setting data in the "administrative data" field (EF-AD) inthe SIM, as defined in GSM 11.11.If this feature is not disabled by the SIM, then whenever aconnection is in place, which is, or becomes unenciphered,an indication shall be given to the user.Ciphering itself is unaffected by this feature, and the user canchoose how to proceed.According to GSM 02.07 B.1.26, there should be a Ciphering Indicatorin the ME to allow a user to detect if ciphering is not switched on.The Ciphering Indicator can be turned off by the network operatorclearing (what is formerly known as) the OFM (Operational FeatureMonitor) bit in the "administrative data" field of the SIM.(See GSM 11.11, 10.3.18)Usually the Ciphering Indicator is turned off, at least in those SIMsI have seen so far. And you usually cannot modify the administrativedata in the SIM. But would a phone actually display something if theCiphering Indicator is enabled and ciphering is not on?All data on your SIM card is stored in a special filesystem hierarchy.To not delve too far into the murky depths of SIM data storage, wejump straight to the particular file we are interested in. It is anelementary file (EF) called Administrative Data (AD), whosefilename/identifier is just a number, like always in the SIM-cardfilesystem. In this case it is known '6FAD' (Hex for 28589).Technical Summary:Since there is no API call (AFAIK) for directly reading the SIM datafields, we are going to use your modems standard AT commands. You cannormally do this in two ways. (1) By connecting your phone via USB toyour PC and use a terminal application to send AT commands (ATCs)directly to the Baseband Processor (BP), aka "modem". (b) To connectdirectly to the modem "device" via some terminal program within theAndroid Operating System (AOS). For all the details surrounding this,please see this thread.Once you've got an AT command terminal session working, you are freeto issue the relevant AT commands to read from your SIM card. Theparticular command we are interested in, is the +CRSM command. Thiscommand can read/write various data directly from SIM card files.====================================================================================================Thesyntax is as follows:For example, you could also read your IMSI code from your SIM card,but this is a little more tricky as that operation involves a paritybit-field in the second byte, while using a compressed coding.Also seeandNow, this is the most tricky part while being poorly documented.The problem is that since this is an "administrative operation", itmay require something called a "facility lock password". However itis not clear to me what this is. Is it just a CHV PIN/PUK or is itsomething only known to the OEM or cellular service provider?Anyone who could provide proper guidance here, will be offereda beer! (Also see:for reference.)Going through the reading hoops above, we guess that theproper write command should be like this:However, we know from reading other SIM files (IMSI) that sometimesthe data is returned informat. That is, it could bethat the 1st and last pairs of's should be swapped to's.So that we have:Any ideas?