Week 4 - SIM / UICC Flashcards

1
Q

What is a SIM and UICC?

A

The most general term for a smart card (a micro-controller based access module) - not just for mobile communication purposes is Integrated Circuit Card (ICC)

Subscriber Identity Module (SIM) is the ICC defined for 2G GSM networks including the physical card & logical application

Universal Integrated Circuit Card (UICC) is the physical card as defined by UMTS, LTE & 5G networks

Universal Subscriber Identity Module (USIM) is the logical application as designed for the UMTS, LTE & 5G networks.
It is possible to have a number of USIM applications installed on one UICC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

There are 3 types of ICC in mobile devices. What is the role of all 3?

A

All three types of ICC in mobile devices are designed to:

-Identify & authenticate the user

  • Set up encryption on the network
  • Provide secure storage for user & network data (limited amount on UICC which are portable).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List the three main types of ICC in mobile devices

A
  1. GSM Subscriber Identity Module (SIM)
    -Hosts a single SIM application
    - Provides a GSM service for GSM devices
    - Provides GSM service only even if inserted in a 3g or 4g or 5g device
  2. Single Application Card (USIM) with UICC
    - hosts a single USIM application
    - provides a 2g / 3g / 4g / 5g service in a compatible device
    - A USIM will not provide any service if installed in a GSM device so should not find one in a GSM device
  3. Multi application card (one SIM with multiple CSIM / USIM etc) with a UICC
    - hosts multiple applications on one card
    - provides a GSM service if intalled in a GSM device
    - provides CDMA / 3g /4g/ 5g service if installed in a compatible device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Additional types of ICC in mobile devices

A

RUIM - Removeable User Identity Module.

An ICC that allows a GSM subsrciber to operate on a CDMA network.

The RUIM will contain a SIM and CSIM application.

A CDMA Subscriber Identity Module (CSIM) is an application that allows a subscriber to operate on a CDMA network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SIM card types - size and capacity

A

First Form Factor 1FF was size of credit card

Second Form Factor (2FF) plug in SIM

Third Form Factor (3FF) Micro SIM

Fourth Form Factor (4FF) Nano SIM

Backward compatible - same connection and contact area is used between all.

Machine 2 Machine Form Factor (M2MFF) also called embedded SIM or eSIM or embedded UICC (eUICC) - permanent installation e.g vehicles kindle e-readers. Can contain multiple profiles but only one can be active at a time. Has remote manangement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SIM Components

A

SIM is mini computer - with working memory (RAM), operating software (ROM) Data Store area (E PROM min size 16kb modern devices up to 128kb - still v small compared to device memory sizes), micro processsor and serial input / output. (see diagram of SIM components).

(An EPROM, or erasable programmable read-only memory, is a type of programmable read-only memory chip that retains its data when its power supply is switched off.)

SIM has a defined set of connections 8 connector pins.
Pin 3 is for data input and output, Pin 4 is clock connection, pin 5 and 6 are supply voltage connections, pin 7 is ground connection. Modern cards can operate of 5, 3 and 1.8 volts DC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

‘under the hood’ of SIMs

A

The electronic chip is bonded to the metal contacts with adhesive

Connection between the chip and metal contacts is via ultra fine bond wire.

The chip is encapsulated and bonded to the chip plastic.

If chip is deliberately damaged it is usually the bond wire(s) that break. Can be overcome by decapsulation of the chip and probing directly to the contacts on the chip

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe the SIM file structure

A

The SIM file structure is a hierachical File Tree sturcture.

3 types of file

  1. Master File (MF)
    Mandatory root files containing access conditions & the DFs and EFs (i.e all the other files are contained in the MF)
  2. Dedicated File (DF)
    Underneath the MF in structure & can contain access conditions & other DF & MF (like sub folders). Remember first level DF and second level DF (see power point p.10)
  3. Elementary File (EF)
    Usually sits underneath a DF in structure & contains access conditions and defined formatted data but there are exceptions… Some EF sit directly under the MF. Some EF are mandatory some are optional
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are FIRST Level DEDICATED files?

A

First level Dedicated files are dedicated files that sit directly under the MASTER file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Give an example of 2 FIRST level DEDICATED files

A

DFtelecom and DFgsm

DFtelecom contains service related information. 2 byte identifer is 0x7F10

DFgsm contains network information. 2 byte identifier is 0x7F20

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are SECOND level DEDICATED files?

A

Second level Dedicated files are dedicated files that are contained within other dedicated plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Give 4 examples of SECOND level DEDICATED files

A

DFiridium
DFglobalstar
DFICO
DFSOLSA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where do ELEMENTARY files sit?

A

Some sit directly in the master file, most sit in dedicated files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Give 2 examples of ELEMENTARY files that sit directly under the MASTER file

A

EFICCID (a mandatory EF). Has 2 byte identifer of 0x2FE2

EFpl (an optional EF). 0x2F05

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SIM File structure - First Byte Values

A

First byte for GSM identifies the type of file.

3F = first byte identifier for the Master File

7F = First Level Dedicated File

5F = Second Level Dedicated File

2F = Elementary File under the Master File

6F = Elementary File under First Level Dedicated File

4F = Elementary File under Second Level Dedicated File

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the first byte identifer for the master file?

A

3F

And the full file 2 byte identifer is 0x3F00

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

MF, DF & EF Identifiers

A

A selection of 2 Byte Value Identifiers for the MF and each individual DF and EF
MF (0x3F00)

DFTELECOM (0x7F10)– EFADN (0x6F3A) , EFFDN (0x6F3B),

EFMSISDN (0x6F40), EFSMS (0x6F3C)

DFGSM (0x7F20)– EFIMSI (0x6F07) , EFKC (0x6F20) , EFLOCI (0x6F7E) , EFFPLMN(0x6F7B)

EFICCID (0x2FE2)

EFPL previously EFELP (0x2F05)

DFIRIDIUM (0x5F30)

DFGLOBALSTAR (0x5F31)

DFPCS1900 (0x5F40

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the first byte identifer for the First level dedicated file?

A

7F

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the 5 types of SIM File Access Control?

A

Security Mechanisms on a SIM - EFs on a SIM can be assigned different access control.
There are 5 different access controls:

  • ALWAYS
  • Cardholder Verification 1 (CHV1)
  • Card Holder Verification 2 (CHV2
  • ADMINISTRATION
  • NEVER
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the first byte identifier for the Second layer dedicated files?

A

5F

21
Q

SIM Access Control - What does ALWAYS mean?

A

ALWAYS
Always accessible - no restriction EFICCID has this (this is why the ICCID can always be extracted from an examination)

22
Q

What is the first byte identifier for the elementary files that sit directly under the master file?

A

2F

23
Q

SIM Access Control - What does CHV 1 and 2 mean?

A
  • CARD HOLDER VERIFICATION 1 (CHV1) PIN1.
    DF or EF PIN 1 assigned means that access to this file can only occur on successful verification of CHV1 (PIN1) or if it has been disabled. Or alternatively if the unblock CHV1 (PUK 1 may have been utilised during the connection session)
  • CARD HOLDER VERIFICATION 2 (CHV2). PIN2
    Access can only occur to this EF if the CHV2 (PIN 2) has been disabled or verified correctly. Alternatively the unblock CHV2 (PUK2) may have been utilised during the connection session
24
Q

What is the first byte identifier for elementary files that sit in dedicated files?

A

6F

25
Q

SIM Access Control - what does ADMINISTRATIVE mean?

A
  • ADMINISTRATIVE if enabled on an EF, access can only occur when the prescribed requirements have been completed - set by the administrative authority
26
Q

SIM Access Control - what does NEVER mean?

A
  • NEVER. Access to file via SIM interface is forbidden / denied.
27
Q

Elementary File (EF) Structures - 4 different variations

A

4 different types of EF in relation to how data records are used:

TRANSPARENT

LINEAR FIXED

LINEAR VARIABLE

CYCLICAL

28
Q

Describe the TRANSPARENT Elementary File Structure

A
  • TRANSPARENT.
    Stores data as a string of bytes.
    If data is read or updated it is referenced by an offset, or relevant address indicating in byte value a start position & no. of bytes to be read.
    First byte value has relative address value of 0000.
    File structure consists of a header and a body with the sequence of bytes.
29
Q

Describe the LINEAR FIXED Elementary File Structure and the LINEAR VARIABLE Elementary File Structure.

A
  • LINEAR FIXED
    Contains a series of records of equal fixed length value
    Record value 1 is stored as record number 1
    The length of the record, as well as the record number, multiplied by the no. of records is stored in the header.
  • LINEAR VARIABLE
    Similar to the LINEAR FIXED with the only different being that the record length can vary.
30
Q

Describe the CYCLICAL Elementary File Structure

A
  • CYCLICAL is similar to the LINEAR FIXED structure in that the records are of a fixed length.
    All of the fixed length records are stored in a ring sequence.
    When the cyclic elementary file becomes full of records then it operates on a FIFO basis (First in first out) so it means that if it is full and a new record is recieved to be written to the file then the first record will be deleted making space for the new record.
    This means that the last updated data is stored on record 1.
31
Q

List some common / useful Elementary Files (EF)

A

EF_ICCID = Stores the ICCID (An elementary file directly under the master file)

EF_ADN = Stores the Abrieviated Dialling Number (names & numbers of stored contacts).

EF_FDN = Fixed Dialling Number EF. These numbers can only be entered when the CHV2 is entered on the SIM or ICCI.If this is enabled then only these numbers can be dialled - restricting calls to only those stored here in the FDN (except emergency nos)

EF_LND = Location where Last Dialled Number is stored

32
Q

List some common data that may be retrieved when conducting a forensic examination of a SIM / USIM application.

A

Some data will be static, some will be dynamic.

STATIC DATA:
- ICCID, IMSI, language preference, authentication key (Ki), ciphering key (Kc), allowed / forbidden PLMN’s (Public Lan Mobile Networks), UCHV1/2 (PUK 1/2).

DYNAMIC DATA:
- TMSI (Temporary Mobile Subscriber Identity, Packet Temporary Mobile Subscriber Identity (PTMSI), Location Area Code, CHV1 1/2 (PIN1/2)

PHONEBOOK / CONTACTS:
SIM will store individual user records only (one number per name - can’t store 2 numbers in one record)
USIM is more efficient and one record can store mulitple phone numbers.
Contacts may not necessarily be stored on the SIM or USIM depending on device configuration. If stored on SIM or USIM then typically up to 250 entries max. More common to be on device now.

SMS MESSAGES:
Capacity will vary.

PHONE NUMBER (MSISDN). Some are stored on an EF.

33
Q

What is the Integrated Circuit Card ID (ICCID)?

A

Unique serial number usually printed on the SIM / UICC. Unique to that SIM or UICC.
Also known as SIM serial number.
Has a structure.

19 or 20 digits (ignore any digits or letters after this)

Electronically stored on the SIM / UICC on EFICCID

Service provider can ID phone number (& poss subscriber) from the ICCID

Reveals country of origin & service provider.

34
Q

ICCID Structure - Summary

A
  • 19 or 20 digits
  • usually printed on the SIM or UICC but may not be or may only have part printed on it.
  • Full number requitres an electronic read of the SIM / UICC
  • Other providers include additional characters but these are not true ICCID.
  • Content of ICCIDs are defined in ‘ITU-T Recommendation E..118.
35
Q

ICCID Structure - Breakdown

A
  • First two digits are the Major Inductry Identifier (MII) i.e type of card. 89 = Telecommunications Industry
  • The following 2 or 3 digits are the country of issuing service provider. 44 = UK. 353 = republic of Ireland
  • The following digits (variable lenght) are the Issuer Identifier number. This denotes the issuing communication service provider (CSP).
    This is a fixed no.of digits within a particular country or world zone.
    UK / Republic of Ireland use 2 digits. 01 is issuer ID number for Vodafone in Republic of Ireland.
  • The remaining digits (except the last digit) are the Indiviidual Account Identifcation No.)
    Length is consistant for each issuing CSP.
    May vary between copuntries and CSPS as country codes, issuer identifiers and full ICCIDs are variable lenth.
  • Last digit is a parity check digit (similar to an IMEi check digit). Calculated using the Luhn formula.

-

36
Q

ICCID Retrieval

A
  • may not be visibily present on the SIM or UICC
  • however is always stored in the SIM or UICC
  • Not PIN / CHV protected
  • Can be retrieved from the SIM or USIM using forensic tools
  • ICCID printed on the card may differ from the one stored ont he SIM or UICC (because it may be an abrieviated version).

Can use sites like numberingplans to get info from ICCID numbers - use as an indicator only - may not be accurate.

37
Q

What is the International Mobile Subscriber Identity (IMSI)?

A
  • Used to uniqiely identify a USER on a GSM based mobile network. So identifies the SUBSCRIBER on a network
  • Electronically stored in the SIM / UICC in the memory area
  • May be protected by PIN / CHV
  • Requires electronic extraction from the SIM / UICC to determine and may require PIN or PUK to acquire
  • Defined by ITU-T Recommendation E.212.
  • gives name and country of service provider

inputting IMSI into tools like numbering plans might give the country and service provider that issued the IMSI.

38
Q

IMSI Structure

A
  • IMSI is a 15 digit number
  • first 3 digits are the Mobile Country Code (MCC). Denotes the country of the issuing service provider. e.g 272 is Ireland, 234 is UK, 262 for Germany.
  • Next 2 or 3 are the Mobile Network Code (MNC).
    Most are 2 digits. Americas use 3.
    Denotes which network within that country, that the subscriber belongs to.
    e.g in UK 10 = O2
    The MNC is only unique in a particular country so MCC + MNC is unique.
    Full list can be found online as annex to E.212.
  • remaining digits are the Mobile Station Identifcation Number MSIN. This is used by the service provider to IDENTIFY THE SUBSCRIBER.
    Requires a request to the SP to attrobute this to a person. Not always successful (e.g unregistered payasgo) but may give other investigative lines of enquiry such as location of purchase / CCTV

-

39
Q

What is the MSISDN?

A

Mobile Station International Subscriber Directory Number MSISDN

i.e the TELEPHONE NUMBER

Can be stored on SIM as ‘own dialling number’ but this is user edited so is not reliable. Only reliable source is a request to the SP (using the ICCID or IMSI)

Length of MSISDN is county specific but max is 15.

40
Q

SIM / UICC and IMEI Storage

A

In some circumstances (depending on country & network) then the IMEI that the SIM / UICC was last active in, may be stored on the SIM / UICC

May be more than one IMEI stored indicating it has been active in more than one mobile device.

41
Q

SIM / UICC Storage & SMS

A

SMS can be stored on the SIM / UICC

SIM / UICC capacity is small so usually up to 40 only.

SMS deleted on the SIM / UICC may be recoverable. If no new SMS has been written in the
When a user deletes an sms stored in the SIM / UICC, the header value changes, to indicate that the location where it was stored is now free to be used. As long as no SMS is recieved to overwrite the record then the deleted sms can be recovered.

Capacity of SMS (no of messages stored) depends on the generation of the card & how the SIM / UICC is configured as well as how the handset is configured

42
Q

SIM / UICC Locks - PIN (CHV)

A
  • 2 user editable locks are available. Usually PIN1 is used.
  • Commonly known as a PIN but now correctly known as CHV (card holder verification)
  • 4 to 8 digits in length
  • 3 incorrect attempts usually require an unblocking key or PUK to unlock
  • Some providers use default values
43
Q

SIM / UICC Locks - PUK / UCHV

A
  • PIN unblocking key (PUK)
  • 8 digit code to unblock SIM/ UICC
  • Correct name is Unblock Card Holder Verification (UCHV)
  • Set by and can be requested from the CSP. Cannot be edited by user.
  • 10 failed PUK / UCHV attempts permanently destroys data on the SIM UICC. Important because SP sometimes give incorrect codes due to wrong database, or people may deliberately enter it wrong 9 times to leave only 1.

UCHV can be input on the handset or cardreader by the forensic tool (preferred method)

44
Q

Other data available from SIM / UICC not normally visible on the device

A
  • TMSI - Temporary Mobile Subscriber Identity
  • PTMSI - Packet temporary Mobile Subscriber Identity
  • Location area identity (ID of last group of cells on the mobile network)
  • HPLMN - Home Public Lan Mobile Network
  • Forbidden PLMN - Public Lan Mobile Network
45
Q

SIM Cloning - Why do we create a SIM clone?

A

Why create a clone?

  • Primarily to prevent network access to protect the integrity of the data on the device / prevent remote wipe / incoming data changing data on device.
  • Enable examination of handset without original SIMUICC
  • Overcome PIN protected card for device examination
46
Q

How to produce a SIM clone

A

Different handsets have different requirements in terms of recognising the cloned SIM, some require IICCID or IMSI, or combination of both. Others require additional fields of info on the card.

  • Retrieve ICCID of the original SIM / USIM
  • Retrieve IMSI of the original SIM / USIM
    Can be done by most forensic tools.
  • If original SIM / USIM is not available
    it is possible to get IMSI from network operator with submision of UCCID & vice versa
  • A cloned SIM may not always work (may be due to some data fields not containing data that the handset manufacturer expects to see)
  • Some handsets may just require ICCID
  • Some handsets may just require IMSI
  • Most handsets require both
  • A limited number of handsets require additional network info.
  • Most forensic tool vendors use a re-writable card.

Different tools may copy different network info so one tool may not work then another may work if more network info is required.

47
Q

Evolution of SIM technologies

A
  • traditionally if subscriber switched networks then new SIM / UICC would need to be issued as well as device not being network locked.

Evolution of SIM function by GSMA in 2016 introduced embedded UICC / eSIM - permanently embedded in the device usually soldered into the PCB. Individual profiles are contained in the UICC.

The use of this technology allows for the remote provisioning via the SM (Subscription Management) platform of subscribers in their consumer solution (direct consumer channel) via indiv profiles that are stored in the eUICC. profile contains data from the mobile network operator aboiut the subscriber including IMSI UICC, and security features. Remopte provisioning typically occurs across a network. Commmonly an initial bootstrap profile is installed by the manufacturer to allow the device to connect to an SM platform for a customer profile to be uploaded. The consumer solution requires local human interaction such as acceptance of permissions via an interface.
The deployment of consumer remote SIM profile provisioning consists of a number of different entities: Some are on the mobile device and some are network based.

On mobile device there is the eSIM containing the eUICC (stores the subscription profile (s)) as well as the LPA (Local Profile Assistant) which assists with downloading profiles securely along with the
SM-DP+ (Subscription Management Data Preparation +) the network entitiy that creates user profiles upon request by the mobile network operator.
The SM-DS (Subscription Manager Discovery Server) acts as a gateway to notify the eSIm that the V wants to communicate with it. Security certificates are issued

eSIM support released with IOS 12.1 and Android 9.
For eSIM

Machine to Machine solution (end to end) original remote provisioning. Used for European e-call system and iOT devices

Major difference between consumer eSIM and the machine to machine solution is that the consumer eSIM profile deployment requires some form of human interaction to accept the profile being installed on the eSIM whereas end to end whole process is done remotely without need for human interaction.

48
Q

What is an iSIM?

A

Progression of SIM has also developed into developpment of Integrated SIM (iSIM) - similar in technical functionality to eSIM but rather than a standalone piece of electronics integrated into architecture of the system on chip (SOC) used by a mobile device.

The System on Chip (SOC) is a piece of silicone used in a mobile device that contains a no of components typically incl graphics processing unit, CPU, digital signal processor, neural processing unit, video encoder / decoder & variety of modems.

The iSIM is loacted within the tamper resistant element (TRE) within the secure enclave of the SOC further enhancing it’s security. The secure enclave typically is completely partitioned away from the rest of the modules contained within the SOC, and runs it’s secure OS including it’s processor including it’s own encryption elements