Cellular carriers hate this trick: Using SIM tunneling to travel at light speed

Presented at DEF CON 31 (2023), Aug. 13, 2023, 10 a.m. (45 minutes).

Cellular networks form large complex compounds for roaming purposes. Thus, geographically-spread testbeds for masurements and rapid exploit verification are needed to do justice to the technology's unique structure and global scope. Additionally, such measurements suffer from a combinatorial explosion of operators, mobile plans, and services. To cope with these challenges, we are releasing an open-source framework that geographically decouples the SIM (subscription) from the cellular modem by selectively connecting both remotely. This allows testing any subscriber with any operator at any modem location within seconds without moving parts. The resulting measurement and testbed platform "MobileAtlas" offers a scalable, controlled experimentation environment. It is fully open-sourced and allows other researchers to contribute locations, SIM cards, and measurement scripts. Using the above framework, our international experiments in commercial networks revealed exploitable inconsistencies in traffic metering, leading to multiple data "phreaking" opportunities ("free-ride"). We also expose problematic IPv6 firewall configurations, hidden SIM card communication to the home network, and fingerprint dial progress tones to track victims across different roaming networks and countries with voice calls. REFERENCES: Gabriel K. Gegenhuber, Wilfried Mayer, and Edgar Weippl. Zero-Rating, One Big Mess: Analyzing Differential Pricing Practices of European MNOs. In IEEE Global Communications Conference (GLOBECOM), 2022 Gabriel K. Gegenhuber, Wilfried Mayer, Edgar Weippl, Adrian Dabrowski. MobileAtlas: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research., 2023, In proceedings of the 32th USENIX Security Symposium 2023. David Allen Burgess. What is AT&T doing at 1111340002? Welcome to the magical world of proac-tive SIMs., 2021. https://medium.com/telecom-expert/what-is-at-t-doing-at-1111340002-c418876c212c David Allen Burgess. More Proactive SIMs., 2021. https://medium.com/telecom-expert/more-proactive-sims-f8da2ef8b189 OSMOCOM. Simtrace 2. https://osmocom.org/projects/simtrace2/wiki osmocom.org. pySim-prog - Utility for programmable SIM/USIM-Cards. https://osmocom.org/projects/pysim/wiki The MONROE Alliance. Measuring Mobile Broadband Networks in Europe. https://www.monroe-project.eu

Presenters:

  • Adrian Dabrowski / atrox - CISPA Helmholtz Center for Cybersecurity   as Adrian "atrox" Dabrowski
    Adrian Dabrowski wrote his PhD about large infrastructures including the identifying fake base stations (“IMSI Catchers”). Before his PhD, he was a founding member of two hackerspaces in Vienna, Austria, and on the board of one of them.

Links:

Similar Presentations: