Proactive SIM-cards

After colliding with proactive SMS from AT&T SIM card (translation of an article here) I decided to check other SIM cards as well. It’s no secret that almost all of them support proactive features, but I wondered how many cards actually use them. So, I prepared a test bench to check the SIM cards I have.

SIM card

At the first stage, I limited testing to large “tier-1” operators, whose cards are used by many people. Here’s what I had at hand:

All of these SIM cards were issued between 2014 and 2019.

Test bench

The stand is the same as in the first article, repeated here for convenience:

  • Tool SIMTrace2, which is placed between the SIM card and the phone, allowing you to track the connection between them.

  • Telephone. I used Allview soul

  • The Legba lab kit, desktop network emulator.

  • Conventional smart card reader and program for managing SIM-cards PySim

Method

The purpose of the method is to track the exchange of data between the SIM card and the phone in order to find out what proactive functions the SIM uses. To activate the card, we will use the Lab Kit to simulate the home network of the SIM card. The steps are as follows:

  1. “SUT” is the tested SIM card.

  2. Use PySim and a card reader to get the IMSI of the card under test.

  3. Use the first 5 or 6 digits of the IMSI to get the PLMN of the home SUT.

  4. Program the PLMN of the SUT home network into the Lab Kit GSM emulator.

  5. Turn off your phone.

  6. Install SUT in SIMTrace2 device.

  7. Start a new capture in Wireshark.

  8. Run simtrace2-sniff with packets directed to your Wireshark host.

  9. Switch on your phone.

  10. Typically, the phone will recognize the home PLMN of its SIM card and immediately connect to the emulated network. If not, select it manually.

  11. Leave the phone on for 5 minutes.

  12. Make a short phone call.

  13. Send SMS to yourself.

  14. Let the phone stand for another 5 minutes.

  15. Check Wireshark logs for proactive operations.

For valid SIM cards that are still in service, an emulator is not required, so you can skip step # 4.

results

So, let’s start with the operators who didn’t show anything remarkable.

All others showed interesting results.

All SIMs used proactive value-added services to change call forwarding, but this was not considered “interesting”. I left an example in Pastebin, in case someone disagrees with me.

Now comes the fun part.

AT&T

There was a separate post about AT&T, but it is summarized here for convenience. The tested SIMs send SMS to AT&T whenever they detect a change in IMEISV. This change is triggered by updating the baseband processor firmware or by moving the SIM card to another phone.

Verizon

The tested Verizon SIMs try to open TCP / TP sessions on port 8443 to multiple IP addresses in blocks 63.55.xx and 69.78.xx using an APN called “vznadmin”. Since this is a specific APN, it is unclear if these IP addresses are actually public in this context, but if these IP addresses are public, the WHOIS shows that they belong to Verizon. Since none of these servers responded, I never saw what the SIM was actually trying to make, however I noticed TCP / IP SYN packets at SNDCP layer in the Lab Kit, so yes, the baseband processor was actually trying to open those sessions. (Oh, did you know that SIM cards can open data sessions that are completely invisible to the application processor?) I saved an example of one of these SIM messages in Pastebin

T-Mobile USA

This SIM card sometimes uses a proactive SMS message to send a UDP packet to port 1808 on some server at ISDN 122. It is sent via the standard T-Mobile USA SMSC at +12063130004. The payload is binary encoded and contains ASCII text: “Activate: dt = 15”. (Normal text encoding for SMS uses the 7-bit GSM character set, not ASCII. This is an M2M message.) An example MO-SMS received from the network side is available v Pastebin

Orange Romania

This SIM is trying to send a binary SMS with payload to the ISDN address 5692 via the standard Orange Romania SMS center at +40744946000. The complete example is saved in Pastebin… What’s inside the message?

Directly from Wireshark we have:

  1. 0060 XX XX XX 11 51 01 01 03 08 3a 25 76 03 08 91 23 ..;. Q….:% V… #

  2. 0070 06 04 0a 98 04 01 81 10 11 30 73 48 f5 05 09 08 ……… 0sH….

  3. 0080 29 62 01 62 20 51 23 61 06 14 ff ff ff ff bf 4f) bb Q # a …… .O

  4. 0090 80 ef 7f 00 80 0f 71 84 08 83 63 60 00 00 90 00 …… q… c`….

As with the AT&T example, this post uses TLV formatting and most of the fields are self-explanatory:

  • 11 51 01: Title

  • 03 08 3a 25 76 03 08 91 23 06: field type 0x03, length 0x08, IMEI

  • 04 0a 98 04 01 81 10 11 30 73 48 f5: field type 0x04, length 0x0a, ICCID

  • 05 09 08 29 62 01 62 20 51 23 61: field type 0x05, length 0x09, IMSI

  • 06 14 ff ff ff ff bf 4f 80 ef 7f 00 80 0f 71 84 08 83 63 60 00 00: field type 0x06, length 0x14, possibly terminal profile

  • 90 00: field type 0x09, length 0, unknown

Conclusion

Of the five tier-1 SIM cards, four proactively send messages or initiate connections via a cellular modem. Since these transactions take place between the SIM card and the baseband processor, they probably cannot be tracked using the application processor and its programs for Android / iOS / any other axis.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *