Stealing a Mobile Identity Using Wormholes
From BruCON 2017
Authentication in mobile networks is usually done using a secure element which is commonly a SIM-Card. It is a tamper resistant device that should prevent cloning of mobile identities by legitimate users as well as attackers.
Mobile network operators as well as most users have an interest in preventing the cloning of a mobile network identity. As the mobile network identity is widely used as authentication factor for online-banking applications and resetting of account-passwords for services at Google, Yahoo and others, protection of the mobile identity is even more important.
A widespread assumption is that for successful authentication a SIM card needs to be present in a device. While this assumption might be true in the era before smartphones, it is not valid anymore. Modern day smartphones have a multitude of communication channels besides the mobile network as for example Bluetooth, NFC, WiFi and generally a constant connection to the internet. We call these communication channels Wormholes as they allow data to travel from the mobile device to places that it was never intended to do.
In this talk we will learn how to access the SIM-Card on Android phones from a native application without special privileges. Additionally techniques for forwarding GSM and 3G authentication vectors to different devices will be presented.
As a special a short walkthrough on analysing and modifying the baseband firmware of a common class of Android phones will be given.