Talk: SMS Fuzzing – SIM Toolkit Attack

René Pfeiffer/ September 8, 2011/ Conference

We’re pretty sure that you own a mobile phone and that you send and receive text messages. Do you feel at risk or somehow threatened? If not, then you might want to reconsider your opinion. Cell phones, no matter if dumb or smart, are always connected to the mobile phone network. This means that they can receive messages and commands from the network. The security of GSM has already been explored in past DeepSec conferences. There’s a chance that you are prone to attacks. Let’s stick to text messages. At DeepSec 2011 we will show how to make a phone send an SMS message without the user’s consent and how to make the phone not to receive any message. The method used works on any phone, no matter if it’s a smartphone or not and also on any GSM/UMTS network.

Bogdan Alecu, an independent security researcher, will present the results of his work on SMS fuzzing and attacks on the SIM toolkit at our conference. The SIM toolkit is part of the interface to the SIM card itself. It can receive and process command messages sent from the network without the phone owner’s interaction. Using text messages as an attack vector have already been explored and presented in the SMS-o-Death talk by Collin Mulliner/Nico Golde and Fuzzing the Phone in your Phone by Collin Mulliner. However Bogdan targets the SIM itself and is completely independent of the cell phone brand or type of network. His project uses an old Nokia 3310 with F-BUS cable and dct3tap command line utility to capture the GSM Um and SIM-ME messages into Wireshark, analyzing the attack, along with a software SMS gateway for sending the messages. Bogdan Alecu is going to do a live demo of his attack by asking someone in the audience to volunteer in order to observe the effects of the special crafted message. Bogdan has also prepared some videos demonstrating the attack in case nobody volunteers.

The talk is one of six talks covering mobile phone security at DeepSec 2011.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.