[Simsec] SIM weakness explotation

Вадим Яницкий axilirator at gmail.com
Thu Oct 15 15:13:16 CEST 2015


Hello Karsten Nohl and other list's members! I am testing some SIM cards of
several Russian operators (MCC 250) using the SIMTester project. Some of
them have several weaknesses and even critical weakness. I have submitted
all output files to gsmmap.org (every file marked with 'fixeria'
identifier). Now I have some questions about the weaknesses that I found.
Here is my console output:

SIMTester has discovered following weaknesses:
>
> The following TARs/keysets returned a signed response that may be
> crackable:
> TAR    keyset Cryptographic checksums
> BFFF01      1 4E736B10237C6DCB 54D77FBF5FBB9D4C
> BFFF01      2 FBDCBE8C9BA92B2A 7DD56C4648D5C8B5
> BFFF01      3 C4BBD0CFC814582A 910614BC320F93EE
> BFFF01      4 DF8153D2FEE2FD21
> BFFF02      1 855B6DE0AC4CABC5 94660707A94E72A5
> BFFF02      2 7C781E8B75F533F8 7F7802DEC7FF4A30
> BFFF02      3 9FBC10492FA55580 CA2A22ABEB7FBA26
> BFFF02      4 3A58E78432F1946B
> BFFF03      1 9F99D2F17BBB3545 1EC417716B95FB72
> BFFF03      2 4D84D2AD24952F6B C2CA66795AF71704
> BFFF03      3 93A04C6A940D6F39 B234F88CFA5E300F
> BFFF03      4 8D77950023C55E48
>
> The following TARs/keysets returned an encrypted response that may be
> crackable:
> TAR    keyset Response packet
>
> BFFF01      1 027100000C0ABFFF01D9AD97AA8795344E
> 027100000C0ABFFF0125BFBA936CE6B99A 027100000C0ABFFF015FAC8604BC1ECF6F
> BFFF01      2 027100000C0ABFFF01DA821D282EB8E972
> 027100000C0ABFFF010A2FB986234E0017 027100000C0ABFFF01FF1474359924E4C6
> BFFF01      3 027100000C0ABFFF01D814C4E84ED649C6
> 027100000C0ABFFF01185DCF49CEAFBF3B 027100000C0ABFFF015BCCFB367830769F
> BFFF02      1 027100000C0ABFFF0225BFBA936CE6B99A
> 027100000C0ABFFF02D9AD97AA8795344E 027100000C0ABFFF025FAC8604BC1ECF6F
> BFFF02      2 027100000C0ABFFF02DA821D282EB8E972
> 027100000C0ABFFF020A2FB986234E0017 027100000C0ABFFF02FF1474359924E4C6
> BFFF02      3 027100000C0ABFFF02185DCF49CEAFBF3B
> 027100000C0ABFFF02D814C4E84ED649C6 027100000C0ABFFF025BCCFB367830769F
> BFFF03      1 027100000C0ABFFF03D9AD97AA8795344E
> 027100000C0ABFFF0325BFBA936CE6B99A 027100000C0ABFFF035FAC8604BC1ECF6F
> BFFF03      2 027100000C0ABFFF03DA821D282EB8E972
> 027100000C0ABFFF030A2FB986234E0017 027100000C0ABFFF03FF1474359924E4C6
> BFFF03      3 027100000C0ABFFF03185DCF49CEAFBF3B
> 027100000C0ABFFF035BCCFB367830769F 027100000C0ABFFF03D814C4E84ED649C6
>
> The following TARs/keysets returned a valid response without any security:
> TAR    keyset Response packets
>
> BFFF01      1 027100001312BFFF01000000000100024E736B10237C6DCB
> 027100001312BFFF010000000001000054D77FBF5FBB9D4C
> BFFF01      2 027100001312BFFF0100000000010002FBDCBE8C9BA92B2A
> 027100001312BFFF01000000000100007DD56C4648D5C8B5
> BFFF01      3 027100001312BFFF0100000000010000C4BBD0CFC814582A
> 027100001312BFFF0100000000010002910614BC320F93EE
> BFFF01      4 027100001312BFFF0100000000010000DF8153D2FEE2FD21
> BFFF02      1 027100001312BFFF0200000000010000855B6DE0AC4CABC5
> 027100001312BFFF020000000001000294660707A94E72A5
> BFFF02      2 027100001312BFFF02000000000100007C781E8B75F533F8
> 027100001312BFFF02000000000100027F7802DEC7FF4A30
> BFFF02      3 027100001312BFFF02000000000100009FBC10492FA55580
> 027100001312BFFF0200000000010002CA2A22ABEB7FBA26
> BFFF02      4 027100001312BFFF02000000000100003A58E78432F1946B
> BFFF03      1 027100001312BFFF03000000000100029F99D2F17BBB3545
> 027100001312BFFF03000000000100001EC417716B95FB72
> BFFF03      2 027100001312BFFF03000000000100024D84D2AD24952F6B
> 027100001312BFFF0300000000010000C2CA66795AF71704
> BFFF03      3 027100001312BFFF030000000001000293A04C6A940D6F39
> 027100001312BFFF0300000000010000B234F88CFA5E300F
> BFFF03      4 027100001312BFFF03000000000100008D77950023C55E48
>

How can I use this vulnerabilities? Is it possible to determine what cipher
is used?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.srlabs.de/pipermail/simsec/attachments/20151015/ce23b37b/attachment.html>


More information about the Simsec mailing list