One Time Pad/One Time IMEI/One Time ICCID

I can remember some early mobile phones (2G) that had no SIM card - it’s functionality was dealt with in software. I have always wanted to know if it is legal to buy up a huge number of SIMs (or just the IDs) so that every time a call is made, a unique ICCID & IMEI is used and then destroyed.

It is important to note that all SIM cards contain a CPU that supports the Javacard language. It’s a subset of Java and ARM have actually released the SC (secure core) processors that mean the code is executed as is, not interpreted.

I took a look at ARMs design and it IS very secure (but not totally) because officially, the applications cannot switch to native ARM except for the fact that someone posted that Javacard code $FF executed with r0 = r1 = $ffff DOES allow ARM instructions to be run and I did find a way to escape and the granularity that means small bits of dubious code at the end of a genuine applet with the obvious risks.

Maybe it’s too much work for commercial services but I think their would be a market for 1-time-pad symmetrical encryption where 2 people have to physically meet & share keys via a USB cable (OTA inherently a risk).

Of course, knowing how to contact each other becomes an issue but switching ICCID every 5 minutes to detect a call is expected still makes it tricky to tie down WHICH phone(s) are actually connecting.

My last point would be to use something like LPC10e with a (now off patent) ACELP encode/decode would mean that nobody can listen in.

I know this is extreme but in some industries (medicinal chemistry being the one I know the most about) actually pay people to physically obtain samples as well as listen in on calls and that a possible leak really could cost billions. Imagine if the people who discovered Viagra had been scooped? It isn’t that another company would make it. It is vastly more likely that someone would apply for a patent before the researchers did with the sole aim of selling the patent rights and/or taking a royalty.

As we say ‘the competition is the competition, the other lab is the enemy’. Yep, they have internal competition and from dumpster-diving to very grey listening in is expected. For these people, a truly secure and totally impossible to hack phone is a BIG DEAL.

If nothing else, I strongly recommend that you look at the ARM SecurCore SC300. There are papers covering the fuzzing of Javacard and Kurt Gödel has proven that it is impossible to produce any system that is axiomically provable. Maybe just an SC300 with a lot of PROM so after a call is made, the key is utterly destroyed. It takes a 3072-bit RSA key to equal a 128-bit symmetrical key. Of course, quantum computers mean we now have new more efficient solutions but for size & security, symmetrical keys are stronger. Only 2 people will EVER have that key.

If you want to know how to leverage the SC300 SIM, it is important to know that memory allocation is in 256 byte blocks (granules) so if your Javacard code will round up, you can get 63 Thumb 2 instructions, 127 Thumb instructions or a mixture…

But I’m sure you get the picture.

I have some leads

bumping post

I think the implication in the opening paragraph is wrong anyway. The IMSI (and ICCID) are on the SIM card, and will indeed change every time you change the SIM. The IMEI is not on the SIM card and will not change when you change the SIM card. (You should be able to verify that easily by removing the SIM card altogether and asking the modem what the IMEI is.)

And perhaps more critically, each and every one of those new IMSI numbers along with its associated unique encryption key needs to be known and valid to the phone company. They’re not going to let you connect unless they can bill you. That combination of IMSI and encryption key is what identifies a customer and you won’t get anywhere on their network unless the two are both valid.

That’s the kicker. Whatever flaws and insecurities a phone company may have, their money flow is sacred and will be very very well monitored. This means that you can’t just generate a random number and expect it to work.

1 Like