What is SIM swap?

Over the past couple of years, there has been a lot of awareness raising in the press about the issue of ‘SIM swap’. David Rogers explores the problem.

Customer chips: subscriber identity modules (SIMs) for use in mobile devices. Image credit – James Tyrrell

An unauthorised individual gets a victim’s SIM reassigned to them in order to gain access to the victim’s mobile phone account. In the past this would have been practiced by fraudsters who might want to run up calls against the victim’s account, perhaps in a more organised fashion combined with other types of fraud and criminality.

New incentive

Steadily this began to change. In sub-Saharan Africa, SIM swaps started to occur against users of mobile money services; a new incentive to make money using this method. There was a rise in password compromises in online accounts, led by large-scale data breaches, leading to credential stuffing — the automated injection of breached username/password pairs — based on the leaked information as well as weak implementations of access control. This meant that there was an increasing need to have ‘out-of-band’ methods of validating users that would be acceptable as a ‘second factor’ to passwords, increasing security. The most common and straightforward to implement solution to this was to use the mobile phone and SMS – it was the thing that most people carry and there was commonality in the means by which users could receive the message, almost instantaneously. The user could then, with relative ease, get access to their account. The company providing the service – be it a bank or social media app, could also have reasonable confidence that the user was genuine, raising the bar significantly against attacks on users, their passwords and individual transactions protected by the second factor.

Targeting two-factor authentication

Nothing in security remains static and it should be no surprise to anyone that criminals looked to target the two-factor authentication (2FA) mechanisms being used to protect accounts. The first serious attempt on SMS-based 2FA was against banks in Europe that used mTANs (codes for banking transactions) in late 2010 as part of the ZeuS banking trojan. The attack was relatively sophisticated and used a combination of social engineering and already compromised desktop machines to manipulate users into installing malware on Android devices which would intercept the SMSs and divert them to criminals. The attackers struggled with some of the security controls on the handsets, such as digital signing and the attack was not wholly successful, however it clearly demonstrated their intent.

By the late 2000s and following the Edward Snowden revelations, attackers were beginning to look at the network side. The legacy Signalling System No.7 network (SS7), originally designed in the 1970s, was an integral part of how mobile phones communicate to each other on both 2G and 3G networks. As networks became more open to the internet and the knowledge of how SS7 worked became more widely known, fraudsters and other criminals began to take advantage. Simply ripping out legacy networks is not an option in the mobile world, given the huge scale and reliance on mobile telephony services. Mobile network operators worked together with the security research community to build in monitoring and filtering mechanisms, together with signalling firewalls in order to prevent, detect and deter this vector.

Engineering account takeovers

Finally, social engineering of call centres has been a problem. This is an issue for all organisations that are required to service users directly. Indeed this form of “account takeover” is seen in many different sectors. With the prevalence of information available on the internet for most people, building up a legitimate picture of a user can be done with relative ease or with some initial social engineering against the user themselves. Whilst network operators need to ensure their call centre staff are trained to detect social engineering attempts, this is a tall order given that the whole aim of the social engineer is to convince the person at the other end of the phone that they’re legitimate. Phasing out legacy methods of authentication such as usage of secret information like mother’s maiden name and usage of user-selected passwords that need to be spoken is just part of the solution. Some network operators are now providing APIs (technical interfaces) for services such as banks to be able to connect to in order to establish whether a SIM swap has occurred recently.

This is the real heart of the issue for SIM swap – the target is now not really the network operator’s services, it is something else entirely. It’s a service that uses 2FA SMSs for which the only mechanism to compromise is to arrange for the SIM to be swapped. And there are lots of them – banks, messaging applications, social media apps, email accounts, bitcoin wallets – the list is ever-increasing. An increasing number of people are seeing ‘whole life takeovers’ – starting with a SIM swap, the user’s email account is compromised, followed by a succession of accounts for everything they interact with, from airlines to ride-sharing to shops leaving the user without money or even the ability to communicate. This is often a method of punishing someone or ‘taking them out’, a risk for people in the public domain such as journalists.

Rising rewards

The value of success is increasing too. In some cases millions of dollars of bitcoins have been swiped from wallets because the SIM was swapped. The motivation is high and the cost of attack is relatively low, but the gains are potentially life-changing for attackers. Recent attacks have seen technical attempts combined with social engineering to install remote desktop access so that criminals can initiate the SIM swaps themselves. Mobile network operators around the world need to ensure they’re on top of all aspects of the problem, implementing best practice and doing as much as they can to raise the bar of defence against such attacks. There is no boundary between human, telecoms and cyber security – it is all one big attack surface now.

Further reading

About the author

David Rogers is the founder and CEO of Copper Horse.

The Quandaries of Headless IoT Device Provisioning

 

Copper Horse’s Mobile Security Intern, April Baracho discusses challenges and methods of setting up secure and usable associations for IoT devices that have no visible user interface.

IoT

 

We are living in a world that is getting to be increasingly interconnected, an environment best described as the ‘Internet of Things’. Central to the existence and proliferation of the IoT is the automation of mundane tasks. This in turn depends on the ability of devices to communicate with each other with minimal human interaction. In order to achieve this, any device joining the network needs to be enrolled onto it. Enrolment of an IoT device is its initiation into the grid of interconnected devices. This is achieved by the secure exchange of credentials between the device and the network.

 

Connecting devices such as a laptop or a smartphone to a network is something most of us do on a regular basis. (often gullibly without batting an eyelid!) Provisioning IoT devices, on the other hand, is a whole other ball game. The main challenge is that most IoT devices are equipped with either a rudimentary user interface or in some cases no UI at all. While the secure bootstrapping of devices such as these is challenging, there are several ways in which this can be achieved.

 

A review of the big players in the IoT space demonstrates that most headless devices in the market today use a laptop or a palm-held device as an extended user interface allowing for effective monitoring and management of the IoT device. A thermostat with only a display could  flash a string the first time it is powered on, allowing a user to key in that string into the application. Similarly, a device with a series of LEDs could blink a ‘key’ that could be entered into the smartphone app, linking the device and smartphone app together in a verified association.

 

Out of band provisioning methods such as NFC and Bluetooth are also common place. A headless device such as the FitBit fitness tracker uses Bluetooth Low Energy (BLE) to enrol with the smartphone application and thereafter the rest of the home Wi-Fi network. Updates to the WI-Fi Alliance certification program enables two Wi-Fi devices with NFC tags to connect to each other and the local Wi-Fi network by tapping them together.

 

Other methods used to connect headless IoT devices to a Wi-Fi network include the PIN method and Push-Button Connect (PBC) method for Wi-Fi Protected Setup (WPS) enabled devices and access points. An obvious setback of the PIN method in this scenario is that both the access point and the headless device do not have a keypad for the PIN to be entered. While the PBC method seems to be just a bit more effective in provisioning headless devices, it suffers from security issues such as a two minute window that allows any WPS enabled device to join the network once the button on the access point (hub) is pushed. Further security flaws in the WPS design such as a vulnerability of the PIN method to brute force attacks have since been found.

 

PKI for the Internet of Things

Enrolment of an IoT device, although a task in itself, only connects a device to the local network. It does not provide for the secure mutual verification of device identity. The setup of secure associations between devices is typically achieved by certificate exchange carried out via key agreement protocols. While it should be relatively straight-forward to use a PKI framework for certificate exchange, there are some issues relating to scalability and device capability when it comes to considering the use of PKI in the IoT space.

 

The sheer number of IoT devices that are connected to the internet everyday means that the scaled use of PKI in facilitating mutual authentication is debatable. Furthermore, IoT devices are typically resource constrained and do not possess computationally intensive processing capabilities. The storage of certificates and the processing capabilities associated with encryption and the setting up of handshakes to establish secure communications all require capabilities far beyond a typical resource constrained device in the internet of things. Add to this the issue of scaled secure credential generation for the IoT and it is clear that a lot needs to be done to make the use of a PKI framework in the IoT a possibility and a reality.

 

Copper Horse Mobile Security Dinner – Mobile World Congress 2014

Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.

 

london
This is far too early for the dinner and in the wrong location…

Mobile Security: A Guide for Users

Earlier this year, we promised to release the full version of our work which led to our Mobile Security Leaflet. We’re pleased to say that this is now available as a short book, “Mobile Security: A Guide for Users” from this site. We hope that you find it useful. It should be interesting for everyone from veterans of the mobile industry through to the people it’s really designed for, everyday users. The guidance on lost and stolen devices, threats and attacks and how to keep yourself safe should be applicable to everyone who owns a mobile phone. Happy reading!

Man with phone in street 600x580 size