SIM Card Hacking
What is it? ● Social engineering attack that tricks carrier reps to swap sim cards ● Deactivates a victim’s SIM Activates the attacker’s SIM under the victim’s account. ●
What can happen? ● Attackers now have your phone number ○ Any call they make with their fraudulent SIM will be your actual number Some phones and carriers allow you to automatically restore contact information and call/text ○ logs to a new SIM/phone over-the-air using their apps Can abuse 2 factor authentication and account recovery ● ○ Gain access to online accounts Full blown identity theft! ●
Requirements for Attack ● Target’s Name ● Target’s Phone Number Target’s Mobile Carrier ● Easily acquired if you know their number ○ ○ http://www.freecarrierlookup.com/
Who are targets for this attack? Mostly people in the public eye Linus Sebastian - Host and Producer on Linus Tech Tips ● ● Ethan Klein - Producer of H3H3 Productions ● Cammy Harbison - Reporter/Tech Writer for the online publication iDigitalTimes. She carefully documented her experience ○
How it Happens (T-Mobile) ● Attacker calls your phone and plants their number in your call log ● Attacker calls T-Mobile and can “prove” they are in possession of your phone Change victim account PIN ● Request transfer of service to new SIM, deactivating victim’s sim and phone ● ● Abuse 2 factor authentication and account recovery to hack into various accounts
What to do if it happens to you 1. Immediately Call your mobile phone company 2. Restore service. 3. Suspend all changes to account for a period of time 4. If you believe identity theft has occurred, immediately call the police and file a report
First steps for carriers ● Carriers should be held accountable for damages ● Carriers should implement stronger security policies Cellular companies should use the information they already have access to ● Use IMEI (international mobile equipment identity) and IMSI (international mobile subscriber ○ identity) IMEI is a unique sequence of numbers that identifies a mobile phone ○ ○ IMSI is a unique dynamic sequence of numbers tied to SIM card and service tower, and carrier. It is not easily spoofed like IMEI.
This attack requires the attacker to change account PIN in order to gain full access to an account
Proposed Solutions ● Should minimize effect on genuine customers ○ It only takes effect if a customer needs to change their account information and methods of access ● Should be secure enough to prevent this from happening in the future Should focus on securing account PIN and methods of access ●
If you need to change your account PIN Where phone is physically accessible Use IMEI and IMSI to verify that a call makes sense. ● ○ If someone from california is calling to change an account from kentucky, that should raise some red flags. ● On top of that, if a user has their phone, has unlocked it, and IMEI and IMSI match, then it is likely the correct user calling. Alternatively ● Carriers should consider a solution like Sedicii. App that handles authentication ○
Sedicii Zero Knowledge Proof Protocol - Allows a party to to prove that he/she knows something (exp. credential), without having to transmit the credential Example with Credit Card Authorization: 1. Ashley proceeds to website checkout 2. Ashley clicks “buy” to send a request to the Sedicii service 3. Authorization request sent to Ashley’s phone 4. Ashley verifies securely on her phone 5. Sedicii service sends approval token to browser and merchant 6. If tokens match, payment is approved
If you need to change your account PIN Where phone is not physically accessible or is stolen Require customer to come into store ● ● Carriers should have photograph of account holders on hand to verify Alternatively ● Where available, have another account holder verify the identity of the person requesting the account change
Conclusion ● This attack is easy to execute ● Carriers are putting their customers at risk Identity theft is a real concern ● Social engineering is hard to fix because people are easy to fool ●
Questions?
Recommend
More recommend
