Phone Hacking: A lucrative, but largely hidden history

Mobile Phone Hacking:
A lucrative, but largely hidden history
DC4420
David Rogers
27th May 2014
Copyright © 2014 Copper Horse Solutions Ltd. All rights reserved.
http://www.mobilephonesecurity.org

Car Radio Hacking – 1990s / 2000s
 PIN locks to deter and remove value of theft
 Hacking tools reset / calculate / remove security codes

Some Phone Terms: SIMlock & IMEI
 SIMlock:
– used to secure the device to a particular network during the period of
the subsidy, can be unlocked with CK codes by calling operator
– Different variants of locks
– Recent court case in the US over legality (and lots of other previous
fights)
 IMEI :
– the International Mobile Equipment Identity number
– unique to each device
– can be blocked if device is stolen
 Other interesting information on device that would be hacked
– E.g. to change language packs, phone lock removal, text etc.
 Big battle between mobile industry and hacking groups
between c.1999 and now – has evolved to jailbreak / root
community

‘Unlocking’ and IMEI changing
 What is ‘unlocking?
– SIMlocks
– Most hacking used to be aimed at the SIMlock area
 The security area in the handset would protect all sensitive
data – including IMEI and SIMlock
 What is a dirty hack?
– Hacks targeted against the security area would often cause corruption
to data – including the IMEI.
– Data such as RF calibration settings would often be wiped out
 Hacking tools usually dual-use (SIMlock and IMEI)
– Causes problems in countries where IMEI changing is illegal – difficult
and costly to get direct proof
Mobile Phone Security - David Rogers

INTERNET
Historic Criminal
Structure
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SELLER
END-USERTHIEF
DRUG
DEALER
MASS THEFT
SUBSCRIPTION
FRAUD
STREET CRIME
BLACK MARKET
EXPORTER
(UNLOCKING / IMEI CHANGING)
EBAY
COUNTERFEITING
IP THEFT
‘USER’ CRIMES
MURDER ETC.

INTERNET
EMBEDDED
HACKER
HACKING
GROUP
INTERNET
SHOP
SHOP OR
STALL
REPAIR
CENTRE
APPLICATION
HACKER
ORGANISED
CRIME
RE-SELLER
FREE SOFTWARE
END-USERTHIEF
DRUG
DEALER
VALUE METHOD
£10 - £30 CASH
DEBIT / CREDIT CARD
£50 - £500 WESTERN UNION
PAYPAL
POSTAL ORDER
£500 - £5000 WESTERN UNION
£5000+ WESTERN UNION
Historic Financial
Structure

Examples of Hacking Hardware
 Standard service repair equipment
– Fraudulent purchasing of manufacturer’s equipment
 Mass produced hardware by hacking groups
– Griffin Box
– UFS-3 (Twister)
– Blazer
– Clips
 Evolution
– New equipment was constantly developed as new models were
released
– New technologies and hardware security to ensure revenue

Mass Manufacture of Hacking Hardware

Examples of Hacking Hardware (2)
• Most hacks steal their solutions from already existing
hacks
— May seem to be 22 hacks available – just old hacks re-packaged.
— Different front-end to software
— Different hardware
— the ‘golden’ part of the source code is from 1 hack
• Lots of ‘ghost’ hacks that are aimed at defrauding people
— same in 2012 with jailbreaking on iOS6

Hardware Hacking Methods
 EEPROM cloning or ‘Chipping’
– Old method
– Copied EEPROM with basic equipment
– Main aim to put EEPROM with no SIMlock on
– Result: IMEI number was cloned
 PIC’s (Programmable Integrated Circuits)
– Execute small sequences of commands
– Placed in-line to ‘snatch’ or modify data
 Flash device hot-swapping (almost impossible now)
 Exploitation of boundary scan ports
 External clips and dongles
 Note: less economical than software hacks

In-line PIC Between SIM and Device

Software Hacking Methods
 Direct change
– Breaking a programming algorithm
– Finding the correct test interface protocol command
• Still used(!) serial communications / USB monitoring equipment
 Modifying binary files (software download files)
– Inserting jump code
– Hijacking other functions in the code to subvert security
– Taking advantage of software design flaws
 Abuse of boundary scan to monitor phone processes
 ‘Dumping’ to logs of data from secure areas
 Brute force cracking of algorithms
 Theft of information from Design Centres / Factories /
Service Centres
 “Voodoo Galaxy SIII SIM unlock” tool required device to be
rooted…

Typical (Old) Software Hack Methodology
MARKETING
LAUNCH AT
TRADE SHOW
PHONE
RELEASED
TO MARKET
RESEARCH
THEFT OF
EARLY MODEL
NETWORK
OPERATOR
SAMPLES
MANUFACTURER HACKER
OPEN SOURCE INFO
AND HACKING TOOLS
TIMESCALE
0 MONTHS
6 - 12 MONTHS
HACKING
SOLUTION
DISTRIBUTE
APPLICATION
PROTECT
APPLICATION
APPLICATION
PROTECTION
TOOLS
PRODUCT
SECURITY
DETECTION

Use of Hardware Clips – 5 Second Unlocking!
 Simple to use, takes it’s power from the handset
 Contains a Programmable Integrated Circuit
 Bombards the handset with commands in a repetitive sequence
 The handset eventually gives up and resets itself – unfortunately
resetting the SIMlock!
 This type of attack was used on many different makes of handsets
 Clips have now evolved and the term is usually used in reference to
dongles

“Logs”
 Used as a method of continually generating revenue for the
real hackers and re-sellers at the top of the food chain – a
historical issues for hackers
 Original concept by 3 Nokia hackers and dealers from Serbia:
– George, Boban (Slobodan Andrics) and Dejan (Dejan Kaljevic)
 How do logs work?
– Encrypted by hackers to avoid cracking by other hackers
– An example:
• Crack the master security locks -> generate an encrypted log of
security area information -> close the security lock on the handset
again!
 ‘Logs’ will be available only if the hacking solution is two part
– ‘Dumb’ client application to communicate with handset
– Data is sent to hacker / re-seller
– Corresponding data to unlock / change IMEI received from hacker / re-
seller

 Some manufacturers and ODMs used symmetric algorithms
based on the IMEI number to generate CK codes
– Broken and every possible iteration for each IMEI available
 Later versions cracked the factory / service tools because they
were leaked rather than cracking the handset
 Down to poor manufacturer security and breaking principle of no stored,
shared secrets!
CK Algorithm Breaches

De-capping and Focused Ion Beam Equipment

Newer Hardware and System Level Attacks
 George Hotz – original iPhone jailbreak
– Used hardware flaw to XOR data address and insert jump code to
empty memory where he could execute his own bootloader
– Allegedly assisted by European Infineon hacking teams
 Rooting
– Various methods, exploiting vulnerabilities
– Usually used as a staging area for other attacks (e.g. malware)
– Examples:
• RageAgainstTheCage, uboot, zergRush, gingerbreak
• Other private exploits
– Some manufacturers providing it as a service in order to prevent
people hacking
 Legal battles around this area (e.g. US copyright office 2010,
2012)
– OK to remove SIMlocks and root devices

Newer Motivations
 Main targets / motivations recently have been:
 Rooting / jailbreak device – for piracy / other apps / custom OS
/ spyware
 SIM unlocking – break out of subsidy (cheap device) / fraud /
export of stolen devices
 IMEI changing – re-enable stolen handsets in same country
 Launchpad attacks – spyware / malware / anti-theft tools / in-
app billing
 Fixing issues – e.g. old SIMlocked device, can’t contact operator

2002 2003 2004 2005 2006 2007 2008 2009 2010/11 2012
EICTA / GSMA 9 Principles
OMTP Trusted
Environment:
OMTP TR0
OMTP Advanced Trusted
Environment: OMTP TR1
TCG MPWG
Specification
GSMA Pay-Buy-Mobile
FragmentedSecurity
Handset Embedded Security Evolution (to 2012)
Google / Apple
Proprietary hardware
security features
Banking / film industry
requirements
WAC
RIM / Nokia proprietary
security features
webinos

Evad3rs, i0n1c, geohot, RedSn0w – iOS6 & iOS7
 iOS6 hack “used more zero-days than stuxnet”*
 Millions of downloads – huge market
 Evasi0n iOS7 jailbreak rushed out due to competition (and 7.1
release), packaged with Chinese app store (Taig)
– Rumoured to be $1million
– Rumours of dirty tricks / questionable sources for some holes
– Strategic and tactical thinking, all ‘untethered’
 Some holes allegedly held back by various teams for future
cracks on iOS8
 Teams still reverse and hack each others tools (like SIMlock)
 George Hotz tried to sell to a Chinese team (via a broker) for
$350,000
– Audio clip released with negotiation discussions
* Ref:
http://www.forbes.com/sites
/andygreenberg/2013/02/05
/inside-evasi0n-the-most-
elaborate-jailbreak-to-ever-
hack-your-iphone/

May 2014 – Root Bounty for Verizon & AT&T

Kill Switch / Anti-Theft Mechanism Targeting?
 Obvious this would happen

Car Radio Hacking - 2014

Questions?
david.rogers {@} copperhorse.co.uk
@drogersuk
Mobile Systems Security course:
http://www.cs.ox.ac.uk/softeng/subjects/MSS.html
Mobile Security: A Guide for Users:
http://www.lulu.com/gb/en/shop/david-rogers/mobile-security-a-
guide-for-users/paperback/product-21197551.html
http://www.mobilephonesecurity.org

Phone Hacking: A lucrative, but largely hidden history

More Related Content

What's hot (20)

Similar to Phone Hacking: A lucrative, but largely hidden history (20)

Recently uploaded (20)

Phone Hacking: A lucrative, but largely hidden history