A Russian research team has found vulnerabilities in millions of the world's SIM cards, and separate flaws in common 4G modem platforms. Together, the bugs could allow attackers to send crafted SMS text messages to gain access to critical systems and install malware on connected computers.

In one dramatic and hypothetical example, the research team of six from outfit SCADA StrangeLove showed how track switching mechanisms in the European Rail Traffic Management System could be altered by remote attackers targeting computers and devices on trains and tracks.

They found what fellow SRlabs researcher Karsten Nohl estimated was 'millions' of the world's SIM cards that could be impersonated by attackers who captured the users' Temporary International Mobile Subscriber Identity and decryption key (Kc), numbers that were designed to stop eavesdropping between devices and phone towers.

It built on Nohl's research last year that revealed SIM flaws could allow attackers to intercept calls and target wireless NFC applications like contactless payments through crafted text messages.

He found telcos had done little in the two months to September to fix the flaws. They now face further attack vectors in SIMs and mobile 4G dongles.

Attackers would need four flaws to align to take advantage of the remote Kc disclosure, including as Nohl explained to Vulture South:





A network that allowed binary SMS to reach the SIM card;

One of the millions of SIM cards that have an unprotected or weakly protected TAR;

The TAR allows execution of file system commands, and

An easily guessable SIM card PIN.

"Only if all four hold, can a decryption key (Kc) be queried remotely," Nohl explained of the work. "Given that there are billions of SIMs out there, the attack still affects many millions of them."

It was unknown if Australian SIMs were affected but antipodean modems were thought to be susceptible due to shared platforms, Gordeychik said.

"Vulnerabilities in modern SIM cards allows attackers to obtain important information which is enough to spoof a victim's identity – or 'clone' a phone in a network – or to decrypt traffic by two special crafted SMS messages," Gordeychik said in an email.

Attackers could also cause mass denial of service by entering incorrect PINs and PUKs on targeted SIM cards.

The SCADA StrangeLove team were further able to remotely install malicious applications on 4G modem cards to then update firmware, change passwords on the web management portal, and even gain access to the internal networks of telcos.

They found crafted text messages sent to vulnerable 4G modems could allow attackers to install bootkits on machines connected using modem dongles by reprogramming the devices to serve as storage and human interface devices (HIDs).

"Advanced attacks allow attackers to reprogram 4G modems remotely, sometimes via SMS, making them act as a HID and storage device to emulate key presses, reboot connected laptop and install bootkits," Gordeychik said.

Separate findings included 550 GPRS Tunnelling Protocol hosts, mostly gateway GPRS support nodes, connected to the internet that allowed attackers to emulate serving GPRS support nodes to establish GPRS connections over the internet.

The attacks were presented at security conferences PacSec and ZeroNights, and are to be explained in an upcoming paper affected a host of systems including supervisory control and data acquisition (SCADA) machines, ATMs and various Internet of Things devices.

Attackers could use tools including the modified open source software Osmocombb, Calypso based phones (pdf) or online SMS gateways.

Fixing the vectors was not simple. Gordeychik said telcos were the only entities that could push vendors to fix vulnerable SIMs and modems by following secure coding practice, while CERTs were responsible for internet infrastructure issues like the GPRS Tunneling Protocol.

The research team of Gordeychik; Alexey Osipov; Timur Yunusov; Alexander Zaitsev; Gleb Gritsai; Kirill Nesterov, and Dmitry Sklyarov tested more than 100 SIM cards and 'dozens' of 4G USB modems purchased across Europe, the Middle East and the US, and reported their findings to telcos, device vendors and computer emergency response teams including Japan's CERT. ®