UICC manipulation E...
 
Notifications
Clear all

UICC manipulation EFOPL

2 Posts
1 Users
0 Likes
411 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

As of June 15th, 2017 within EU, Norway, Island and Liechtenstein 'Roam like at home' starts we expect manipulated EFOPL (Operator PLMN List) on UICCs. We got noise from Darknet.

So before getting the first case of this issue we try to understand how encryption on UICC was broken and additional operators were added and others removed. Encryption on UICC is not easy to overcome and as always my slogan towards 'NFCrime' stands.

In 3GPP TS 31.102 v14.2.0 (2017-4) at 4.2.59 is the entry point. It deppends on each MNO how encryption is put on their UICCs. We search for BH, DefCon, CanSec and PHdays indicators of how Darknet got this tools.

3G encryption TS 55.216
http//www.etsi.org/deliver/etsi_ts/155200_155299/155216/14.00.00_60/ts_155216v140000p.pdf

LTE encryption TS 55.241, 55.242, 55.243 (split in 3 TSs)
http//www.etsi.org/deliver/etsi_ts/155200_155299/155241/14.00.00_60/ts_155241v140000p.pdf
http//www.etsi.org/deliver/etsi_ts/155200_155299/155242/14.00.00_60/ts_155242v140000p.pdf
http//www.etsi.org/deliver/etsi_ts/155200_155299/155243/14.00.00_60/ts_155243v140000p.pdf

Any helpful thoughts pls PM me.

Thank you in advance.

 
Posted : 10/06/2017 11:35 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Is there a website showing as much detailled data as possible or a login-protected platform to see which MNO has running roaming contracts? The layer of roaming is such intransparent that a only by-case lookup does not help to learn the mechanics of big MNOs and their changes.

Please help. Thank you.

 
Posted : 12/06/2017 10:21 pm
Share: