Embed Size (px)
Citation preview
17/10/18 (c) 2018 sysmocom GmbH 2
Agenda
➔ Introduction➔ Provisioning a SIM➔ Using third party SIMs
17/10/18 (c) 2018 sysmocom GmbH 3
History: SIMcards and Osmocom
➔ At the beginning: No SIMs to start with, lab setups and events used third party SIMs (still an option!)
➔ MagicSIM/SuperSIM: A far-east product to allow subscribers to put multiple accounds on one SIM
➔ sysmoSIM-GR1: Sysmocoms first customizeable SIMcard➔ sysmoUSIM-SJS1: Sysmocoms current SIMcard product,
many parameters customizeable and possibility to upload SIM-Toolkit applications
17/10/18 (c) 2018 sysmocom GmbH 4
sysmoUSIM-SJS1➔ State of the art java SIM/USIM card
(own applets can be installed)➔ Available in small quantites➔ Can be operated as standard 3G USIM card or as
classic 2G SIM card➔ User customizeable - Ki, OPc, Milenage
parameter, Authentication algorithm etc...➔ Documentation and open-source programming
tools availableSee also: http://shop.sysmocom.de/products/sysmousim-sjs1
17/10/18 (c) 2018 sysmocom GmbH 5
Agenda
➔ Introduction➔ Provisioning a SIM➔ Using third party SIMs
17/10/18 (c) 2018 sysmocom GmbH 6
Assets of a SIMHolds MNCC, MNC and consecutive subscriber ID number
Serial number of the card
SMSC number validity and other SMS related parameters
Encryption and authentication key(propritary)
Configures which RAT uses which Authentication algorithm
17/10/18 (c) 2018 sysmocom GmbH 7
pySim – the swiss army knife for SIMs➔ Initially developed by Sylvain Munaut to program
MagicSIM/SuperSIM cards➔ Supports sysmoUSIM-SJS1 and a variety of other
cards from different vendors➔ Capable of reading provisioning data from CSV files
(bulk provisioning)➔ Limited features (only basic parameters, IMSI, KI,
OPc etc...)➔ Suitable for most situations
See also: https://osmocom.org/projects/pysim/
17/10/18 (c) 2018 sysmocom GmbH 8
sysmo-usim-tool – a specialized tool➔ Supports sysmoUSIM-SJS1 only.➔ Allows fine tuning of certain parameters e.g:
– switching between classic SIM and USIM application
– fine tuining of milenage parameters Ci/Ri, SEQ/SQN
– selection of auth algoritms for 2G and 3G
See also: https://sysmocom.de/manuals/sysmousim-manual.pdf
17/10/18 (c) 2018 sysmocom GmbH 9
Minimal set of parameters➔ There are many parameters available for fine tuning, the following parameters are the
most basic ones needed to successfully provision a SIMcard in an Osmocom network➔ Network:
– MCC: 001– MNC: 01
➔ Card:– ADM-PIN: 05039324– ICCID: 1122334455667788990
➔ Subscriber:– IMSI: 001010000012345– KI: 0123456789ABCDEF0123456789ABCDEF– MSISDN: 12345
CAUTION!3 authentication attempts withwrong ADM-PIN will lock theADM access permanently!
17/10/18 (c) 2018 sysmocom GmbH 10
Use pySim to programm the card
➔ pySim-Commandline:– ./pySim-prog.py -p 0 -a 05039324 -x 001 -y 01 -i 001010000012345
-k 0123456789ABCDEF0123456789ABCDEF -s 1122334455667788990
h
17/10/18 (c) 2018 sysmocom GmbH 11
Add user to HLR➔ Osmo-hlr VTY commandlines:
– subscriber imsi 001010000012345 create
– Subscriber imsi 001010000012345 update msisdn 12345
– subscriber imsi 001010000012345 update aud2g comp128v2 ki
0123456789ABCDEF0123456789ABCDEF ➔ Subscriber is now fully equipped and able to register
to the network.
IMSI, MSISDN ...
Algo, and KI
Algo, K, OPC, SQN ...
17/10/18 (c) 2018 sysmocom GmbH 12
Agenda
➔ Introduction➔ Provisioning a SIM➔ Using third party SIMs
17/10/18 (c) 2018 sysmocom GmbH 13
Reasons to use third party SIMs➔ No access to customizable SIMs
– In the early days of OpenBSC this was the usual case– Your demand is not large enough to match the market
(you need thousends of SIMs, but your vendor sells in lots of millions)
➔ SIM deployment not practical– Temporary deployments (events, festivals)– Small outback/offshore deployments – Short lived subscriber contracts (e.g. for passengers on
a plane or ship)
17/10/18 (c) 2018 sysmocom GmbH 14
Using third party SIMs is possible➔ Osmocom networks can be operated with any random thrid party SIM when certain
limitations are acceptable.➔ How to setup:
– The IMSI of a random thrid party sim is provisioned into osmo-hlr together with a choosen MSISDN (key material is not provisioned as it is unknown)
– Encryption and authentication is disabled.● osmo-bsc.cfg: network, encryption a5 0● osmo-msc.cfg: network, encryption a5 0; network, authentication optional
➔ The network uses the IMSI as authenticator
17/10/18 (c) 2018 sysmocom GmbH 15
Provisioning ISMI to the HLR
➔ Osmo-hlr VTY commandlines:– subscriber imsi 262432115493703
create
– subscriber imsi 262432115493703 update msisdn 12345
➔ Subscriber is now fully equipped and able to register to the network.
17/10/18 (c) 2018 sysmocom GmbH 16
Limitations➔ Risk of Interception: Calls and SMS are transmitted unencrypted and can be
intercepted➔ Risk of Impersonation: Since the IMSI is the only authenticator, an attacker
might find valid IMSIs through sniffing and place calls on the behalf of other users (toll fraud).
➔ Manual interaction needed. Third party SIMs might be reluctant to roam into the new network. Users may have to do a manual network search and select the new network manually.
17/10/18 (c) 2018 sysmocom GmbH 17
Advantages
➔ No SIM deployment needed (saves costs and deployment efforts)➔ No roaming contracts needed➔ Subscribers can keep their old SIM (which still might be useful in elsewhere,
e.g. in the next city a couple houndred miles away.)➔ Subscriber management is simple, only an IMSI/MSISDN tuple needs to be
managed.
17/10/18 (c) 2018 sysmocom GmbH 18
Conclusion
➔ An option under very special circumstances.➔ The network will be vulnerable to attackers. Risks must be weighed carefully.
