[Simsec] SIMTester tips

Lukas Kuzmiak lukas at srlabs.de
Sat Nov 8 23:51:26 CET 2014

Hi Dmitry,

> All keysets 1-15 of all TARs a SIM card was tested against gave null response.
That is not entirely true - it gave null response for PoR CC (or cryptographic checksum if you want) - meaning for that particular combination (one line is a combination of a TAR, keyset and a particular fuzzer (combinations of bit settings for KIC/KID and SPI1, SPI2)) there was no encrypted or signed response returned.
Long story short: your sim card is smart enough not to encrypt or sign a response to a command that was not previously encrypted or signed.

Looking at the PoR codes from the results file you’ve enclosed there’s a spottable difference between keysets - keyset one responds with PoR code 0x0A, the rest with 0x06.
Check out the specification defining these [1]. You’ll see 0x06 is "Unidentified security error.” which in this case most probably means the keysets answering with this code are not used (or not activated, whatever..).
Keyset 1 responds with 0x0A ("Insufficient security level”) - meaning whatever the fuzzer did with the packet (used counter, signing or encrypted) is not sufficient for this particular keyset to get through (there are these checks first before the message gets processed).

It is therefore probable only keyset 1 is used on this particular card.

SIMTester has a pre-defined number of TARs it scans for [2]. These TARs have been selected by scanning a sample of SIM cards using TAR scanning functionality and we’ve chosen the most common ones.
Look at these as open ports on an IP. The reason behind the selection is the TAR is a 3-byte value and every SIM can have 0xFFFFFF possible TARs, scanning for all of them with just a single message can take hours, days or even weeks - depending on a SIM card speed/performance.

TAR scanning is supposed to discover TARs, normal fuzzing operation is supposed to test these using different keyset/fuzzers combination. As full fuzzing (fuzzers 1-16 and 15 keysets would lead to 0xFFFFFF * 16 * 15 messages being sent to the SIM) would take like 240 times longer than a simple one keyset, one fuzzer TAR scan. Fastest SIM I’ve seen can do TAR scan using 0xFFFFFF msgs in about 2 hours.. that would get you to about 20 days scanning time :-)

You can’t use more than one keyset for TAR scanning - even if it never made sense to me to use more than one TAR or keyset for TAR scanning, feel free to create a patch for this if you want it for some reason - [3].

So for your SIM I’d do:
$ java -jar SIMTester.jar -tf PCSC -ri 0 -st -k 1

You can actually omit “-k 1” as that is a default value :-)

Once you’ve done that you’ll get a list of TARs your SIM card responds to - if you’ll discover some new ones (other than the ones defined in [2]) - feel free to fuzz them using:
$ java -jar SIMTester.jar -tf PCSC -ri 0 -t RFM:111111 RFM:222222

There’s also RAM prefix, it’s there for different APDUs for fuzzing, RAM is by default only used for 000000 TAR which is (usually) applet management, the rest of pre-defined TARs is scanned using RFM prefix [4].

Feel free to let me know what you’ve discovered.


Lukas Kuzmiak
Security Research Labs

[1] - http://www.etsi.org/deliver/etsi_ts/123000_123099/123048/05.09.00_60/ts_123048v050900p.pdf <http://www.etsi.org/deliver/etsi_ts/123000_123099/123048/05.09.00_60/ts_123048v050900p.pdf>, Chapter 5.2, Table 5
[2] - https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/simtester/revisions/master/entry/SIMTester/src/de/srlabs/simtester/FuzzerFactory.java <https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/simtester/revisions/master/entry/SIMTester/src/de/srlabs/simtester/FuzzerFactory.java>
[3] - https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/simtester/revisions/master/entry/SIMTester/src/de/srlabs/simtester/Main.java <https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/simtester/revisions/master/entry/SIMTester/src/de/srlabs/simtester/Main.java>, line 108.
[4] - https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/simtester/revisions/master/entry/SIMTester/src/de/srlabs/simtester/Fuzzer.java <https://opensource.srlabs.de/projects/mobile-network-assessment-tools/repository/simtester/revisions/master/entry/SIMTester/src/de/srlabs/simtester/Fuzzer.java> - lines 204-211

> On 07 Nov 2014, at 12:50, Дмитрий Полпуденко <dmitry.polpudenko at laps-spb.org> wrote:
> Hi Lukas,
> Thank you very much for a prompt reply and for the great SIMTester we all now play with!
> Frankly, not much. Let me show you a small example, please.
> I ran SIMTester with a command:
> $ java -jar SIMTester.jar -tf PCSC -ri 0
> All keysets 1-15 of all TARs a SIM card was tested against gave null response. You can check it from SIMTester output, I attached it to the letter. Which keysets am I supposed to pick for TAR scanning with -st option in this case? I assume a following command would be something like this:
> $ java -jar SIMTester.jar -tf PCSC -ri 0 -st -k 1 2 3 4 <or any responsive keysets>
> ?
> Could you please explain the logic behind the keysets selection or am I missing something from the SIMTester output?
> Kind Regards,
> Dmitry
>> 7 нояб. 2014 г., в 2:29, Lukas Kuzmiak <lukas at srlabs.de <mailto:lukas at srlabs.de>> написал(а):
>> Hi Dmitry,
>> no it does not - as SIM cards *usually* use only some of the keysets (1-15), if you’d do TAR scanning (-st option) on eg. keyset 1 which would be unused by the sim card you’d be very likely to discover no TARs at all.
>> The reason for it is that most of the sim cards first check the “basics” like whether a keyset is even used and if it is not it never gets to TAR checking and just returns an error.
>> That is why you need to discovered a valid keyset prior to TAR scanning.
>> Does it make it more clear?
>> Lukas
>> --
>> Lukas Kuzmiak
>> Security Research Labs
>>> On 06 Nov 2014, at 22:40, Дмитрий Полпуденко <dmitry.polpudenko at laps-spb.org <mailto:dmitry.polpudenko at laps-spb.org>> wrote:
>>> Does it imply that there is no need to scan all possible TARs of a card with -st option if fuzzer finds no vulnerabilities during first full fuzzing run?
> <simtester_out.txt>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20141108/e9066fa1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4127 bytes
Desc: not available
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20141108/e9066fa1/attachment.bin>

More information about the Simsec mailing list