Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DEEPSEC: SMS Fuzzing – SIM Toolkit Attack

SMS Fuzzing – SIM Toolkit Attack

Bogdan Alecu

SMS is a unique mobile attack vector as it is an always on service. Regardless of wether or not you’re using another application, an SMS can be received by the phone. As SMS is enabled by default on all phones it provides many interesting possibilities.

Tools Used

  • PDUSpy
    • Used to decode the binary message
  • Nokia 3300
    • Used for capturing
    • F-BUS cable
  • dct3tap
  • Wireshark
    • GSMTAP and SIMCARD patches
  • Gemalto GemPC SIM Card reader

SIM Application Toolkit

Provides value added services for the mobile operators.
Basically a set of commands written on the SIM card which helps the card to communicate with the mobile device.
We are particularly interested in the following data on the SIM Card
  • Data download via SMS Point to Point

When this service is enabled, it instructs the mobile device to respond to short message with varying protocol identifiers. This allows an attacker to send a message that goes straight to the SIM and is not shown to the user (the screen may light up on set phones).

By setting the second byte it is possible to trigger a delivery report. Setting the acknowledgement receipt via DELIVERY REPORT can result in any further messages being queued up until after the initial message expires (time out dependent on provider).

The person receiving the call is charged for the Acknowledgement at the standard rate of the provider. This is involuntary as the person receiving the message receives no warning.

Problem reported as cve-2010-3612 (currently reserved)

Vulnerability tested on multiple phones incl Nokia, Samsung Galaxy S, ….


  • Works independently of the phone or GSM network
  • When sending the message between different networks or the same network it doesn’t have such a great financial impact
  • There are providers that allow you to spoof source numbers –> Think premium rate numbers

By spoofing the source address you can set a premium rate source (attacker owned) and have the credit stolen from a victims phone without notification.


  • Most protects require operator assistance.
  • Some mobile devices have the ability to ask the user about SIM actions (other than Nokia ?)
  • Use a SIM Card that has the service “data download via SMS Point to Point” deactivated or one without any Toolkit Application

Links :

  • SMS Fuzzing – SIM Toolkit Attack –> Overview
  • SMS Fuzzing – SIM Toolkit Attack Slides –> Link

3 responses to “DEEPSEC: SMS Fuzzing – SIM Toolkit Attack

  1. Bogdan Alecu November 18, 2011 at 00:41

    Thanks for your post Chris. I’ve made the presentation public- see here: http://blog.m-sec.net/2011/sim-toolkit-attack/

  2. Pingback: First Press Coverage of DeepSec 2011 –

  3. Bogdan Alecu November 22, 2011 at 02:33

    I’ve also published the video from my talk, in case anyone is interested – just use the same link as for the slides.

%d bloggers like this: