Poor Mans Sim Porting - Using USSD functionality to remotely hijack SIM cards
Jamieson O'Reilly
Dec 11, 2023
Introduction
In today's world, where interconnectivity is not just a convenience but a necessity, the security of telecommunication networks has become more crucial than ever.
This report delves into a high-risk aspect within these networks, particularly focusing on a point where long-established USSD Universal Supplementary Service Data) carrier infrastructure intersects with the advanced functionalities of modern handsets, such as those from Samsung and Apple (iOS devices).
This integration has inadvertently created a significant security risk, especially within Australian telecommunications systems and extending to global carriers. The primary concern is not rooted in new vulnerabilities but rather in the expanded potential for misuse that arises when traditional USSD and GSM Global System for Mobile Communications) technologies are combined with today’s smartphones, designed for enhanced user convenience and features.
Traditionally, USSD has been used as a straightforward protocol for GSM mobile phones to communicate with service provider computers, facilitating actions such as balance checks or service activations.
However, in the context of modern smartphones, this protocol unexpectedly opens avenues for potential security threats. The technological landscape has evolved considerably from a decade ago when limitations naturally restricted the scale of potential exploits.
Now, features like seamless SMS integration across various platforms, including MacBook-to-iPhone or Microsoft’s Phone Link, have significantly increased the risk and impact of mobile-based threats.
The focus of this report is to shed light on the high-risk configuration of telecommunications systems, specifically examining the misuse of tel://
links in SMS messages. Remote attackers can exploit these links to initiate unauthorised call forwarding with minimal user interaction.
Additionally, the report will assess the effectiveness of the current regulatory framework in addressing these risks and propose measures for mitigation.
By providing a comprehensive analysis of these high-risk configurations and their potential impacts both in Australia and globally, the report aims to outline essential steps for enhancing telecommunications security in an era marked by rapidly evolving technological risks.
Important Note: It is important to note that while USSD codes have been historically used in cyber-attacks, this report brings attention to a new, highly exploitable vector. Highlighting the need for proactive measures, it aims to address these emerging challenges in telecommunications security before they are exploited.
TDLR: Videos
Poor Man's SIM porting demo - Call Forwarding
Poor Man's SIM porting demo - Intercepting Phone-based 2FA Codes
Background and Key Concepts
This section offers a concise yet comprehensive overview of the key terminologies and technologies pertinent to this report, providing a foundational understanding of the technical landscape under discussion.
Universal Supplementary Service Data USSD
USSD is a communication protocol used by mobile phones to interact with their service provider's infrastructure. It enables actions like WAP browsing, prepaid callback service, mobile money services, and location-based content services.
Below is a simplified diagram of the USSD architecture.
Man-Machine Interface MMI
MMI codes, a subset of USSD, are typically entered through a phone's dialer to access network service information or to modify phone settings. Initially designed for straightforward input on basic mobile handsets, MMI codes have taken on new dimensions and implications with the advent of touch-enabled, smart devices, altering the way users interact with their phones' network services.
Global System for Mobile Communications GSM
Introduced in 1991, GSM was the standard-bearer for 2G cellular networks and has played a foundational role in shaping modern mobile communication. As technology has progressed, the integration of GSM with newer smartphone technologies has revealed vulnerabilities that were not apparent or relevant in its initial design and application.
Touch-Type Conversion
This feature represents the evolution of mobile phone interfaces, allowing smartphones to convert alphabetic inputs into their numerical equivalents. While enhancing user-friendliness, this capability inadvertently broadens the scope for the misuse of USSD and MMI codes, diverging significantly from the manual input methods of traditional phones and introducing new risks.
tel:// URL Handlers
The integration of tel:// URL handlers in smartphones, which facilitate direct call initiation from web links, QR codes, or other digital mediums, exemplifies the high-risk configuration arising from the blend of old and new technologies. This feature, while enhancing user experience, also creates potential security loopholes when interacting with USSD or MMI codes.
The intersection of these legacy and modern technologies presents unique risks. The blend of established GSM/USSD services with the capabilities of current smartphones leads to a high-risk configuration where potentially harmful commands can be executed with simple actions like clicking a link or scanning a QR code.
Such scenarios were hardly conceivable in the era of older technology but have become a real concern in today's digital landscape. This background sets the stage for understanding the intricacies and potential risks discussed in the subsequent sections of the report.
Regulatory Landscape
Australia
In Australia, the regulation of telecommunications services, including customer identity authentication, falls under the purview of the Australian Communications and Media Authority ACMA.
The Telecommunications Service Provider Customer Identity Authentication) Determination 2022, a critical regulatory document, mandates robust multi-factor authentication MFA processes for all high-risk transactions.
This is crucial in ensuring that the person requesting a transaction is the customer or their authorised representative.
A critical aspect of this framework, as stated in the legislation, involves the authentication processes in retail environments and scenarios involving direct contact with the customer through their listed phone number. The legislation outlines:
Part 2—Identity Authentication Requirements 9.(3)(a)(a): The carriage service provider for the telecommunications service must use at least one of the following identity authentication processes to confirm that the requesting person is the customer, or is the customer’s authorised representative, for that service:
(a) subject to subsection (4), confirming the requesting person has direct and immediate access to the telecommunications service; or Examples: (a) for a public mobile telecommunications service in a retail environment – personnel representing the carriage service provider call the mobile service number listed on the customer’s account while in store and verify that the call has been received by the customer’s mobile device used in association with that number while the customer is instore.
This aspect of the legislation reflects a common practice in customer service environments, particularly in telecommunications, where calling the customer's listed phone number is seen as a reliable method of confirming identity. However, this practice can be compromised:
Exploitation through Call Forwarding
If an attacker has tricked a victim into executing a call forwarding USSD command, perhaps by deceiving the customer into clicking a tel:// link in an SMS, incoming calls to the customer's number would be redirected to the attacker.
Consequently, when the carrier calls the public number for authentication, they might inadvertently confirm the identity of the attacker instead of the legitimate customer.
This scenario could lead to the attacker successfully passing the carrier's identity checks, enabling full control over the victim's telecommunications service account.
The ACMA's framework, while comprehensive, requires adaptation to address such evolving threats. The flexibility granted to carriers to identify additional high-risk transactions beyond the listed ones is crucial.
It suggests that carriers have the responsibility and authority to classify scenarios like unauthorised call forwarding via USSD commands as high-risk, given the potential for misuse.
In addition to the Australian context, it's important to consider international regulatory landscapes, such as in the United Kingdom, where the approach to telecommunications security also holds significant relevance.
United Kingdom
In the UK, the Telecommunications Security Code of Practice sets forth regulations that telecom service providers must adhere to. This includes:
Regulation 4.(6)(a) service provider must— (a) monitor and reduce the risks of security compromises relating to customers’ SIM cards occurring in relation to the public electronic communications network by means of which the public electronic communications service is provided, and
This regulation, while not specifically mentioning USSD functions like call forwarding or barring, emphasises the importance of monitoring and mitigating risks associated with SIM cards and network equipment.
The broader implication of this mandate could be interpreted to extend to features like call forwarding. With that, the lack of a requirement for a PIN for call forwarding USSD operations, despite its presence for other functions like call barring, might be viewed as an oversight in the context of these security measures.
Additionally, the UK regulation underscores the necessity for service providers to actively engage in risk reduction across all aspects of SIM card and network functionalities. This approach logically includes enhanced security measures for USSD functions like call forwarding, especially considering their potential exploitation for unauthorised activities.
The UK's approach, much like the Australian framework, suggests a need for ongoing vigilance and adaptation in regulatory practices to address emerging technological threats effectively.
The principle of minimising security risks in telecommunications services, as advocated in the UK regulation, aligns with the need for comprehensive measures to safeguard against vulnerabilities in modern telecommunication technologies.
Examining both the Australian and UK regulatory landscapes reveals a common theme: the need for dynamic, responsive regulation that keeps pace with technological advancements and evolving security threats.
This report advocates for such an approach, encouraging regulatory bodies and telecommunications providers across different jurisdictions to collaborate and innovate in their strategies to ensure robust customer protection in the face of rapidly changing digital threats.
In many telecommunications systems, stringent security protocols are in place for call barring functions, which often require additional authentication like a PIN. This is because call barring can significantly impact a user's ability to communicate by blocking incoming or outgoing calls.
Surprisingly, call forwarding, which similarly affects communication by redirecting incoming calls to a different number, frequently lacks these robust authentication measures, highlighting an inconsistency in security practices within the current regulatory framework.
Impact Analysis
This section provides a nuanced analysis of a significant attack vector within telecommunications networks, particularly focusing on the exploitation of tel:// links in SMS messages for unauthorised call forwarding. This risk stems from the convergence of historic USSD/GSM technologies with modern smartphone functionalities, a combination that has opened new avenues for potential security breaches.
Context and Scope of the Issue
As of early 2023, with over 32.71 million cellular mobile connections in Australia, representing a 124.3 percent penetration rate, the scale of this attack vector's potential impact is substantial.
The absence of mandatory PIN requirements for call forwarding USSD operations by major carriers further amplifies this risk, leaving a significant user base exposed to potential exploitation.
Methods of Exploitation and Outcomes
BypassingTwo-FactorAuthentication2FA
Attackers can send SMS or emails containing a tel:// link with an embedded USSD command for call diversion. When unsuspecting users click on this link, their calls, including those delivering 2FA codes, are redirected to the attacker, thereby bypassing security measures and allowing unauthorised access to sensitive information.
Call Interception
This involves sending malicious SMS messages to redirect a victim's incoming calls to the attacker's number, enabling them to intercept private and confidential communications.
NFC Exploitation in Public Spaces
Attackers can leverage Near Field Communication NFC technology, widely used for conveniences like tap-on/tap-off services in public transport and coffee shops. By placing malicious NFC tags in public locations, attackers can embed tel:// links that activate call forwarding when unsuspecting victims tap their phones against these tags and click the presented call prompt.
Phishing Pages with Embedded tel:// Links
Attackers can create sophisticated phishing web pages that mimic legitimate telecom carrier sites. These pages can contain tel:// links disguised as customer service or support links. When a victim visits such a phishing page and clicks on these deceptive links, thinking they are contacting their carrier, they inadvertently initiate a call forwarding USSD command.
This method can be particularly effective as it combines the trustworthiness of a seemingly legitimate website with the simplicity of executing the USSD command through a single click. Such tactics elevate the potential of phishing attacks by not only stealing credentials but also compromising the victim's phone communication as seen below.
Comparative Analysis
Unlike traditional attacks that target system vulnerabilities, this approach misuses legitimate telecommunication features in an unsophisticated and less conspicuous manner.
This evolution represents a shift from manual USSD code entry to automated exploitation, significantly enhancing the potential for widespread and undetected attacks.
In understanding the current risk, it's insightful to compare with past instances of similar cyber threats and observe the evolution in attack methodologies.
Such a comparison not only contextualises the current risk but also highlights the adaptive nature of cyber threats:
Rise of SIM Porting/Swapping Attacks
The issue we're examining parallels the increasing trend of SIM porting or swapping attacks. In these instances, attackers transfer a victim's phone number to a SIM card they control, enabling call and message interception.
The unauthorised call forwarding via tel:// links, while being more straightforward, poses a similar threat level, offering attackers an easier route to a similar goal.
WhatsApp Account Hijacking
Historically, as seen in cases like those reported by BleepingComputer, attackers hijacked WhatsApp accounts by convincing victims to manually dial MMI codes that triggered call forwarding to the attacker's phone. This enabled them to receive OTPs and take control of the accounts.
The current threat method marks an evolution from this approach, removing the need for attackers to manually talk to each victim and allowing the attackers to automate the execution of USSD commands through tel:// links.
Impact Assessment
A key aspect of understanding the impact of unauthorised call forwarding is recognising the range of services that rely on phone-based MFA, particularly voice calls.
This method, commonly used as a security measure, can be compromised if an attacker gains control over the victim's phone calls.
Here is a list of notable services that support voice call MFA, highlighting the potential breadth of the security threat:
Okta: Offers Voice Call Authentication as anMFA factor, supporting both mobile phones and landlines. Okta Voice Call Authentication
2. Google: Provides an option for voice call-based verification in its suite of services. Google Voice Call Verification
3. Microsoft: Includes voice call verification in its security features. Microsoft Voice Call MFA
4. Apple: Supports voice call authentication in its developer support for authentication. Apple Developer Authentication Support
5. Duo: Provides an MFA option via voice calls for various phone types. Duo MFA with Voice Calls
6. Auth0: Allows configuration of voice notifications for MFA. Auth0 SMS and Voice Notifications for MFA
7. Signal: Supports SMS and Voice-based 2FA. Registration troubleshooting
Recommendations for Regulatory and Industry Response
To effectively mitigate the risks associated with call forwarding USSD codes in telecommunications, a coordinated response from both regulatory bodies and industry players is essential.
This section offers targeted recommendations that aim to strengthen the overall security framework and address the specific vulnerabilities identified in this context.
For Carriers
Carriers play a pivotal role in securing telecommunications infrastructure. They must not only implement immediate technical safeguards but also ensure these measures align with evolving legislative requirements and contribute to overall industry security standards.
1. Implementing Robust Authentication Protocols
Carriers should enhance the security around call forwarding services. This involves instituting multi-factor authentication MFA in line with current legislative requirements for high-risk transactions. Carriers should ensure these measures are compliant with laws like the Telecommunications Service Provider Customer Identity Authentication) Determination 2022 in Australia, which mandates robust customer identity authentication.
2. Advanced SMS Filtering and Regulatory Compliance
Carriers should introduce sophisticated SMS filtering to intercept potential USSD command abuses. This action must be in accordance with privacy and telecommunication laws, ensuring that customers' communication privacy is respected while protecting them from unauthorised service manipulation.
3. Alert Systems for Transparency and Compliance
Carriers should establish immediate alert protocols to inform users of any changes in their call forwarding settings. These alerts should be designed in a way that aligns with the regulatory requirements for customer communication and consent.
4. Proactive Network Monitoring with Legal Frameworks in Mind
Carriers should enhance monitoring of network activities, particularly focusing on unusual call forwarding patterns. This step should be taken considering the legal obligations to protect user data and service integrity.
5. Rapid Response Mechanisms within Legal Boundaries
Carriers should develop swift and effective protocols to respond to unauthorised call forwarding incidents, ensuring these procedures are in line with the regulatory requirements for customer service and data protection.
In the long-term, carriers must not only focus on technological advancements but also align their strategies with evolving legislative frameworks, ensuring that their actions are both effective in enhancing security and compliant with regulatory standards.
1. Regular Policy Review and Adaptation
Carriers should continuously review and adapt their internal policies to align with the latest telecommunications regulations. This includes staying informed about both global and national legislative changes that impact customer security and privacy.
2. Active Participation in Legislative Discussions
It's crucial for carriers to actively engage in shaping the policies that govern their industry. This means participating in discussions, consultations, and forums related to telecommunications legislation, ensuring that their expertise and practical experience inform policy development.
3. Ongoing Legal Training for Staff
Regular training for staff, especially those in customer-facing roles, is essential to stay updated on the latest legal requirements and compliance procedures. This training should encompass aspects of customer privacy, data protection, and transaction security, ensuring that all personnel are aware of their responsibilities under the law.
These long-term strategies are key to ensuring that carriers not only address current security challenges but also remain prepared and compliant as the legislative landscape and technological environment continue to evolve.
For Policymakers
Policymakers are tasked with creating and updating laws that safeguard telecommunications services against emerging threats. Their role is crucial in establishing a regulatory environment that supports technological advancements while ensuring robust user protection.
1. Re-evaluating Current Regulations
Policymakers should assess existing telecommunications legislation to address areas where new technologies, like USSD code integration, introduce novel threats.
2. Legislation Addressing Technological Evolution
Policymakers should amend laws to specifically address security features like call forwarding, categorising them as high-risk transactions requiring stringent authentication.
3. Fostering Industry Collaboration
Policymakers should facilitate a collaborative environment for telecom carriers, cybersecurity experts, and legislators to jointly address emerging threats.
4. Public Awareness Campaigns
Policymakers should utilise public awareness initiatives to educate consumers about telecommunications security risks, including the potential misuse of call forwarding, in collaboration with carriers and consumer protection agencies.
Conclusion
This report has brought to the forefront a critical security concern within the telecommunications sector: the potential misuse of tel:// links in SMS messages for unauthorised call forwarding.
This issue calls for swift and concerted action from telecommunication companies, regulatory bodies, and cybersecurity experts.
Key Findings
The vulnerability's potential for widespread impact, given the high penetration of mobile connections globally.
The evolution of cyber threats, as demonstrated by the shift from manual to automated methods of exploitation.
The need for enhanced security measures and more dynamic regulatory frameworks to address these evolving threats effectively.
The full report can be downloaded here.