SIMjacker: does it affect Librem 5?


#21

The modem would be executing the AT commands from the SIM. The rest of the phone would not necessarily even have a way to know that an AT command had been requested, let alone have the power to control the response to the command.

I guess the software in charge of checking for incoming SMS messages should be sure to delete them from the SIM once they’ve been received, in the interests of limiting how much data is stored on the SIM.


#22

yeah that broadband will stay locked-tight for the foreseable future it seems …


#23

That does leave the possibility to fake outgoing calls, which could be a problem (either premium calls, or calls to nefarious groups or similar).

Paid SMS are another attack vector, or SMS confirming paid subscriptions. Intercepting authentication SMS (e.g. from on-line banking) should be also possible.


#24

For sure. However I don’t suppose it is possible to do that retrospectively with the Librem 5 v1 ???

What you may be suggesting could be done in a number of ways e.g. directly putting a filtering chip between the SIM and the modem. or e.g. making the SIM virtual and putting the CPU between the real SIM and the modem. But presumably it is too late for trickery like that. ???

Limited to what could be achieved retrofitted … perhaps the firmware on the modem could be updated so that all binary SMSs (aka data SMSs / could alternatively be called application SMSs) are passed to the host for approval before doing anything with them. That unfortunately requires trust in the modem.

(Also in part being discussed in this topic Detecting so called "silent SMS" )

The article also contains the recommendation that there be

filtering at the network level to intercept and block “illegitimate binary SMS messages”

That requires trust in the government and the telco, and confidence in their competence. It isn’t a good long term solution.

The article comments

we have observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people

Does anyone have a list of those 30 countries? That would narrow it down to people who know for certain that they should be worried about this.


#25

Experience suggests that these things can get worse before they get better.

The first researcher reports … hey, I just found a way to do XYZ.

The second researcher, after contemplating the first researcher’s research, comments … that’s cool but it can also do ABC.

I would therefore caution against indifference.

What would be extra dangerous is if there are undocumented commands in the SIM, since the modem may pass the “code” through unvalidated.


#26

I realized all of that once the others threw in some facts on the matter :slight_smile:


#27

This is why I wanted some available GPIO lines exposed as contacts on the motherboard. Given 5 pins (power control, clock & data for the card, clock & data for the modem) plus some ground line, it would be possible to build an interposer on a flexible circuit board which routes everything through the main CPU and as such gives you complete control over what is and is not sent to the SIM card.

That is going to be almost impossible. I don’t see Qualcomm (it’s their chips which are used in both of the modem options) doing this themselves, and I really don’t see them handing out the source code, toolchain and a means to sign the new radio binaries so that the chips accept them.

Well, I’m pretty sure that neither India nor China are on the list purely due to the number given.


#28

You are probably right (whether it’s Qualcomm or the modem vendor). That option was only if they wanted to do it themselves. I did not intend to imply that Purism could or would do this but I did not make that clear.

They might want to do it themselves because they are responsible for a security flaw that one researcher pithily described in a link above as “pretty f*cking bad”, without the asterisk.

If you want your chip / modem described that way, leave the flaw in place. :slight_smile:

I thought the same but that doesn’t help me.


#29

s@tbrowser created by simalliance.org


#30

New post by Nicole Faerber


#31

Great article (and interesting to know that forum posts can influence what gets posted on the blog). It might be worth mentioning though that Verizon, Sprint, AT&T, and T-Mobile have said that they are not impacted by the exploit, at least in America, even if some of their responses weren’t very convincing.


#32

Ofc, some mobile provider will claim that they blacklist certain SMS payload used for these attacks. But, I would not trust them. They could whitelist calling party numbers of authority / governmental “services”.


#33

Not necessarily: I can imagine that Nicole and/or others were on this without being prompted by us!


#34

Yes. They were pretty quick to react. See post 4.


#35

I still don’t know which 30 countries but, along with the US, Australia seems to have ruled itself out: https://www.itwire.com/security/simjacker-australians-are-safe.html

While the original topic title asks the question as to whether it affects the Librem 5, it seems to depend more on a) the SIM card, and b) the modem. It doesn’t even directly depend on the country. If your phone has a vulnerable SIM card and a complicit modem then your phone is potentially vulnerable in every country.


#36

SIMjacker, round 2:
https://ginnoslab.org/2019/09/27/stattack-vulnerability-in-st-sim-browser-can-let-attackers-globally-take-control-of-hundreds-of-millions-of-the-victim-mobile-phones-worldwide-to-make-a-phone-call-send-sms-to-any-phone-numbers/

After S@T comes WIB. To be continued…


#37

So in “proactive command is sent to ME” scenario - is ME here a baseband OS or Phone OS? It seems like phone (eg launch browser) which then could be easily contained. Otherwise if it is baseband OS - it’s a nasty nuisance which may cost you money (sms or call to caller-paid lines) but otherwise won’t cause significant breach of privacy in the current l5 design (baseband over usb). According to the article even “location” is mere country + network info.


#38

@Kyle_Rankin any news about this on librem5?


#39

It’s hard to say. Caliga’s post directly above you has a link to another description of the S@T attack and a video showing a proof of concept. The attacked victim phone appears to be going through the OS to perform its tasks - you can see the Android dialer and call window. Way back when, in the brief period of 30 minutes when my Samsung S5 had its stock OS, I remember it having a package called “SIM Toolkit” installed. I’m guessing that this is responsible for instructing the OS dialer to do its tasks.

That said, it’s quite possible for the baseband firmware to deal with this directly. I’d be surprised if, for some of the cases, it didn’t - from an engineering perspective, it seems very inefficient (yes, security, I know) to go all the way up to the application CPU and then all the way down when you can just handle things immediately.

Also, from a perspective with somewhat limited relevance, I remember that my old Nokia 6300 (candybar form factor GSM dumbphone) and later on a Nokia E55 (candybar factor 3G smartphone, a beautiful device although there were never that many applications for it) actually asked me whether I wanted to allow the SIM card to send a message - this happened when I used it with a new SIM card and presumably the network wanted to autoconfigure my device. So at least some devices are immune to this attack.


#40

Simjacker/WIBattack – protection tools now available:
– 6% of 800 SIM cards in recent years were vulnerable to Simjacker, a 2nd vulnerability affects an additional 3.5%.
– SIMtester checks any SIM card for both vulnerabilities: https://opensource.srlabs.de/projects/simtester
– SnoopSnitch warns about binary