Over-the-Air (OTA) attack

OTA (Over-The-Air) is a technology used to communicate with, download applications to, and manage a SIM card without being connected physically to the card. With OTA, Network Operator can introduce new SIM services and modify the contents of SIM cards without having to reissue it. With OTA, SIM card can be remotely managed and STK (SIM Toolkit) applications downloaded dynamically. Mobile Operator could be using the OTA mechanism to send binary java applets via SMS (several kilo bytes) to the SIM. These applets could be installed secretly without the user knowing (actually this depends on the handset). The java applets has access to GSM functionality and the Mobile Phone itself. The details of the interface are defined in GSM 11.11 and 11.14.

Please, do not confuse OTA with  over-the-air bitmap, a data format developed by Nokia for sending images via SMS.

The operator sends service requests to an OTA Gateway which transforms the requests into SMS and sends it onto a Short Message Service Centre (SMSC). This special SMS is then transmitted to SIM card.

According to company Company GemPlus?,  which offers techology for OTA services, the following components are needed:

• A back end system to send requests
• An OTA Gateway to process the requests in an understandable format to the SIM card. OTA Gateway has to be phase 2+ in the GSM standard.
• An SMSC to send requests through the GSM network. Message sent to the SMSC needs to be formatted using the right set of parameters as described in GSM 03.48.
• A bearer to transport the request (SMS message)
• Mobile equipment to receive the request and transmit it to the SIM card. Mobile Phone has to be Sim Tool Kit compliant.
• A SIM card to receive and execute the request

 OTA software delivery can be initiated upon action, such as a call to the provider's customer support system, or can be performed automatically. Verizon Wireless in the U.S. provides a number of OTA functions (updates for phone configuration and updates of the Preferred Roaming List) to its subscribers via the *228 service code. OTA by SMS is not limited to cellular network operators. OTA messages may also be generated by third parties and sent directly to the handset. For example, UK VoIP operator aql uses an OTA configuration message to automatically configure the SIP VoIP client on Nokia's E-Series handsets when users sign up for their mobile VoIP service.

OTA via special SMS

An OTA SMS can be several kilobytes in size using the SMS concatenation protocol. The OTA SMS is first received by the Mobile Equipment and then forwarded (depending on the handset - silently or not) to the SIM. The SIM then checks the security of the SMS (if requested) and processes the SMS.

The SMS that most people know are send to the Mobile Equipment (ME) and appear in the inbox of the phone. Another kind of SMS can be send to the SIM directly. Only the Mobile Operator should be able to send an SMS to the SIM (PID 0x7F, Network -> SIM). In practice is it possible on many networks to send a SMS from any mobile phone via the network to the SIM in another mobile phone (SIM -> SIM) without this SMS beeing firewalled by the network. In networks where such SMS are correctly firewalled a SMS directly to the SIM can be send via direct access to an SMSC. There are many SMSC providers on the internet that offer raw access to the SMSC gateway via which SMS to the SIM can be send, but most of SMSC servers are not configured to forward correct  APDU (Application Protocol Data Units) packets.

• The SIM Toolkit Application is specified in  TS 31.111,  GSM 02.19 and  3GPP 22.038.

• Java applets ( GSM 03.19) or C written ELF binaries ( TS 31.131) can be installed and executed on the SIM.

• SMS-PP Data Download (GSM 11.14 7.1): MS can install binary on SIM remotely. user is not notified.

• Call Control (GSM 11.14 4.5): Any outgoing call request is first passed to sim. Sim can modify this call request. This can be used to listen to mobile subscribers: Any time a call is made initiate a conference call to original number and your own mobile.

• Security Mechanisms (GSM 03.48): Security Mechanisms for the SIM applicaton toolkit

FOTA and LAWMO

There is also another quite similar technology, called Firmware Over the Air (FOTA). Open Mobile Alliance has released  specification on Firmware Update Management which standardize the method for FOTA. FOTA is used by Motorola ( Motorola Q9h Silver phone), iPhone and many other vendors. It is estimated, that  around 50% of new mobile phones support FOTA functionality. There are also  efforts to make this updates "seamless" (not visible to end-user).

There is also  Open Mobile Alliance’s Lock-And-Wipe Management Object 1.0 specification (LAWMO) designed to protect a user’s data when a device is sold or stolen. If the device is lost or stolen, user may request to lock the device and wipe all the data from the device. If the device is returned, the user can also request to unlock the device.

Papers and additional info

•  Article on SIM Attack Scenario
•  SIM Toolkit
•  GemPlus about OTA
•  Over-The-Air (OTA) technology, Gemplus OTA Training / Overview, 2003
•  OTA card by TelePak Inc.
•  GSM Cloning
•  Advances in Smartcard Security, by Marc Witteman, Riscure, 2002.
•  Java Card Security by Marc Witteman, Riscure company, 26 February 2004.
•  Sicherheitseigenschaften in GSM-Netzwerken - SIM-Karten und SMS Studienarbeit am Institut für Algorithmen und Kognitive Systeme by Axel Rengstorf, September 2007.
•  Forensics and Sim Cards: an Overview, by Fabio Casadei, Antonio Savoldi and Paolo Gubian, University of Brescia, Fall 2006.
•  SMS & all its features, presentation by Tobias Engel, 2001 (in German).

Exploits/Abuses?

•  Remotely Eavesdropping on Cell Phone Microphones
•  The Athens Affair
•  HTC Vulnerability: Remote executing .EXE files via SL/SI SMS (silently)
  •  Compromising Windows Mobile using a Wap-Push Message
•  Article on SIM Attack Scenario - company Riscure demonstrated how an attacker can remotely control and terminate SIM cards of subscribers by sending a specific data-download SMS to the card. Once terminated, the SIM card is useless and the customer is forced to visit the nearest GSM shop to have his or her SIM swapped.
•  Remote SMS/MMS Denial of Service for Nokia S60 phones, including  video.

Software

•  SimScan v2.01 (for Windows). With this program you can analyze ATR, CLA+INS, FILES, Key, can write IMSI and Ki to GSM a38 SIM Gold Card (PIC 16f84 & EEPROM 24c16). Finding Ki works on SIM cards from 2000-2002 with COMP128-1 ciphering algorithm.
•  easyota-1.2.4.rar, software to create fully SMS-PP download compliant SMS (I didn't tested it and cannot find additional info about).
•  PDUSpy, a software to create custom SMS / PDU messages. There are two ways of sending and receiving SMS messages: by text mode and by PDU (Protocol Sescription Unit) mode. The PDU string contains not only the message, but also a lot of meta-information about the sender, his SMS service center, the time stamp etc. Mobile phone can communicate with PDUspy if it has support for AT+CMEE, AT+CMGF=0, AT+CPMS and AT+CMGL commands.
•  HushSMS Windows Mobile 5 and 6 based PocketPC software for sending silent SMS messages to the mobile phone. The message is discarded on the target phone and no trace exists, however, you will get back a message from the operator that your message has been delivered, proving that your message has been received, and thus you can know that the owners phone is switched on.