±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34963
New Yesterday: 4 Visitors: 187

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Iranian UICCs hacked

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6 
  

Re: Iranian UICCs hacked

Post Posted: Thu Jan 03, 2019 1:30 pm

- TinyBrain
IPX brokers are somehow in the shadow. There are many but I cannot find any platform to get an overview who is related to who?
Can anybody bring light into IPX broker domain?

Toda


Have you google searched "IPX direct-connection"?

Also have you considered SMS with payload - point to multipoint (broadcast)?

What about e.g. scp01 scp02 scp03/scp03t scp11 scp80 scp81?
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: Iranian UICCs hacked

Post Posted: Thu Jan 03, 2019 1:47 pm

I did and just found that signaling is over SS7 or Diameter. I walk in dark.

- how are these IPX brokers certified (e.g. GSMA SAS)?
- is there a cmd to looking glass or trace the way between the IPXs?
- they run services platforms or suites proprietary, dark from outside, how to understand?

SMS payload, yes I have a beginner level since last week

Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?

We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.

My emotional sense says hidding was extremely good in this case. So hidding behind a legitimate process is the next key to find.

A new year, a new term: Shadow Hidding Infection SHI

Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf  

TinyBrain
Senior Member
 
 
  

Re: Iranian UICCs hacked

Post Posted: Sat Jan 05, 2019 6:34 am

- TinyBrain
I did and just found that signaling is over SS7 or Diameter. I walk in dark.


Maybe it's better you first define what you really what and then get help from the expert of telecom security.

- TinyBrain

- they run services platforms or suites proprietary, dark from outside, how to understand?


it is like an untrusted network and should be secure by relating security devices

- TinyBrain


SMS payload, yes I have a beginner level since last week


Ok, i can help you to find more


- TinyBrain


Please allow to pose my question again. Is there any process except from a UICC vendor, to push a process
of all UICCs to reach for any may normal reason?



I couldn't get what you mean with "for any may normal reason", but for both binary OTA and OTA over HTTPS, initiator should send binary massage to open Chanel for next step.

- TinyBrain

We got informed that the rollback process of RSP in case of UICC firmware upgrade was possible in 3G times???
Normally a new mircocode is sent and overwrites the previous version (Build) in software.


I think your problem is comparing Sim, USim and eSim. RSP is not possible for Sim and Usim. MNO's also aren't support eSim in Iran. to provision eSim remotely, you need to have certificate and sign queries with the certificate that issued by vendors.
if you explain more what do you exactly have in mind and find as a UICC infection, i can help you more and define exact scenario.

- TinyBrain

Anybody who wants to join see the IR34 doc link pointing towards gsma.com
www.gsma.com/newsroom/...14.0-3.pdf


there is no relation between this document and UICC except sending binary message inside this network.  

Dalton-C
Newbie
 
 
  

Re: Iranian UICCs hacked

Post Posted: Fri Jan 11, 2019 8:29 am

What we really want is to reverse understand the InfectionPath. It was not an SMS payload as a multicast service 1:n. It was an UICC firmware update process over the OTA servers of MCI. Normally firmware updates (Java Card Applications) are initiated by the manufacuturer in this case G&D. But they did not initiate the update process. It came from outside MCI 3G Core over Diameter from an IPX broker unknown. This is the reason we call it hidden, unaware. No malfunction on the UICCs of millions of MCIs subscribers. The infection installed a 'pipe'. What I mean by this? The adversary behind wanted to have a all the time possibility to get 'data' out of the UICCs revealing one or multiple subscribers 'data'. By 'pipe' we describe this like 'a long arm internationally'. The 'pipe' is still open on the roaming MCI 3G UICC we have in-lab.  

Last edited by TinyBrain on Sat Jan 12, 2019 10:21 am; edited 1 time in total

TinyBrain
Senior Member
 
 
  

Re: Iranian UICCs hacked

Post Posted: Fri Jan 11, 2019 9:09 am

It's none of my business, but I think you are on the wrong way (this is my personal opinion).

Instead figuring an unknown IPX broker, figure first who had legit send permissions and you will narrow the possibilities. Look for LTE bugs as well.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

passcodeunlock
Senior Member
 
 
  

Re: Iranian UICCs hacked

Post Posted: Fri Jan 11, 2019 9:55 am

Appreciate your feedback!  

TinyBrain
Senior Member
 
 

Page 6 of 6
Go to page Previous  1, 2, 3, 4, 5, 6