Over-the-Air (OTA) attackOTA (Over-The-Air) is a technology used to communicate with, download applications to, and manage a SIM card without being connected physically to the card. With OTA, Network Operator can introduce new SIM services and modify the contents of SIM cards without having to reissue it. With OTA, SIM card can be remotely managed and STK (SIM Toolkit) applications downloaded dynamically. Mobile Operator could be using the OTA mechanism to send binary java applets via SMS (several kilo bytes) to the SIM. These applets could be installed secretly without the user knowing (actually this depends on the handset). The java applets has access to GSM functionality and the Mobile Phone itself. The details of the interface are defined in GSM 11.11 and 11.14. Please, do not confuse OTA with over-the-air bitmap, a data format developed by Nokia for sending images via SMS. The operator sends service requests to an OTA Gateway which transforms the requests into SMS and sends it onto a Short Message Service Centre (SMSC). This special SMS is then transmitted to SIM card. According to company Company GemPlus?, which offers techology for OTA services, the following components are needed:
OTA software delivery can be initiated upon action, such as a call to the provider's customer support system, or can be performed automatically. Verizon Wireless in the U.S. provides a number of OTA functions (updates for phone configuration and updates of the Preferred Roaming List) to its subscribers via the *228 service code. OTA by SMS is not limited to cellular network operators. OTA messages may also be generated by third parties and sent directly to the handset. For example, UK VoIP operator aql uses an OTA configuration message to automatically configure the SIP VoIP client on Nokia's E-Series handsets when users sign up for their mobile VoIP service. OTA via special SMSAn OTA SMS can be several kilobytes in size using the SMS concatenation protocol. The OTA SMS is first received by the Mobile Equipment and then forwarded (depending on the handset - silently or not) to the SIM. The SIM then checks the security of the SMS (if requested) and processes the SMS. The SMS that most people know are send to the Mobile Equipment (ME) and appear in the inbox of the phone. Another kind of SMS can be send to the SIM directly. Only the Mobile Operator should be able to send an SMS to the SIM (PID 0x7F, Network -> SIM). In practice is it possible on many networks to send a SMS from any mobile phone via the network to the SIM in another mobile phone (SIM -> SIM) without this SMS beeing firewalled by the network. In networks where such SMS are correctly firewalled a SMS directly to the SIM can be send via direct access to an SMSC. There are many SMSC providers on the internet that offer raw access to the SMSC gateway via which SMS to the SIM can be send, but most of SMSC servers are not configured to forward correct APDU (Application Protocol Data Units) packets.
FOTA and LAWMOThere is also another quite similar technology, called Firmware Over the Air (FOTA). Open Mobile Alliance has released specification on Firmware Update Management which standardize the method for FOTA. FOTA is used by Motorola ( Motorola Q9h Silver phone), iPhone and many other vendors. It is estimated, that around 50% of new mobile phones support FOTA functionality. There are also efforts to make this updates "seamless" (not visible to end-user). There is also Open Mobile Alliance’s Lock-And-Wipe Management Object 1.0 specification (LAWMO) designed to protect a user’s data when a device is sold or stolen. If the device is lost or stolen, user may request to lock the device and wipe all the data from the device. If the device is returned, the user can also request to unlock the device. Papers and additional info
Exploits/Abuses?
Software
注: OTA(原文出处,翻译整理仅供参考!) |