Schneier on Security
A blog covering security and security technology.
« Load ActiveX Controls on Vista Without Administrator Privileges |
| A Song: Facial Recognition Technology Blues »
July 3, 2006
Getting a Personal Unlock Code for Your O2 Cell Phone
O2 is a UK cell phone network. The company gives you the option of setting up a PIN on your phone. The idea is that if someone steals your phone, they can't make calls. If they type the PIN incorrectly three times, the phone is blocked. To deal with the problems of phone owners mistyping their PIN -- or forgetting it -- they can contact O2 and get a Personal Unlock Code (PUK). Presumably, the operator goes through some authentication steps to ensure that the person calling is actually the legitimate owner of the phone.
So far, so good.
But O2 has decided to automate the PUK process. Now anyone on the Internet can visit this website, type in a valid mobile telephone number, and get a valid PUK to reset the PIN -- without any authentication whatsoever.
EDITED TO ADD (7/4): A representitive from O2 sent me the following:
"Yes, it does seem there is a security risk by O2 supplying such a service, but in fact we believe this risk is very small. The risk is when a customer’s phone is lost or stolen. There are two scenarios in that event:
"Scenario 1 - The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it – there is no way to determine the telephone number from the SIM or handset itself. Should the telephone number be known the risk is then same as scenario 2.
"Scenario 2 - The phone remains powered on: Here, the thief can use the phone in any case without having to acquire PUK.
"In both scenarios we have taken the view that the principle security measure is for the customer to report the loss/theft as quickly as possible, so that we can remotely disable both the SIM and also the handset (so that it cannot be used with any other SIM)."
Posted on July 3, 2006 at 2:26 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Question: how hard it is to extract the phone number from a blocked phone? (Easy, of course, from an unlocked phone, but...)
Isn't it the sim card that gets blocked, not the phone? In which case, assuming you can't get the mobile number from a blocked sim, it seems fairly secure still. I mean, if you know the phone number then there's a decent chance you'll be able to find out anything else O2 are likely to ask you. And many pay as you go sim cards aren't actually registered to anybody in the first place.
you can also have a phone blocked relatively easily once it's stolen, so that even a PUK won't enable it - so although it looks like the site opens up a big hole, it's actually a relatively sensible relaxing of security at the lower levels because the higher levels [blocking the phone] have become more reliable/available.
In case you steal the phone from someone you know - easy.
In case you steal somebody's jacket and find his phone AND his purse (quite likely) - easy.
PIN/PUK and PIN2/PUK2 security is part of the GSM specification (a part that was taken over into the UMTS specs). The security measure is actually enforced by the SIM (subscriber identification module), a smartcard, not the phone or the network. A reasonably secure mechanism.
All GSM providers here in Germany give seperate special envelopes (the kind where you can't read the contents without obvious damage to the envelope) with all four codes to the subscriber when signing up.
The method used by O2 is obviously deeply flawed (and would be illegal in Germany -- here, the provider must not even know these codes after giving them to the subscriber once).
Hmmm. I believe you got it wrong. The PIN code is not for the phone, but for the SIM Card (the smart card inside a GSM phone). The PUK code unblocks a block SIM not phone. Most phones have a lock code so that another SIM Card won't work in the phone. The PIN Code is more protection if you leave your phone (off) around somewhere you think you'll get it later. If you lose your SIM card, you have to report it immediately as you run the risk of having someone run up a huge bill in calls (if the phone is not prepaid or Pay-as-you-go). Hence, the PUK code was a bad security measure in that it didn't align interest and security well. What most operators do is provide you with a PUK code with your original SIM documents, if you forget your PIN code, you probably still have those documents at your house. The PIN code is just a way to give you some time to realize you phone got stolen and call the operators. Since most phone are not stolen while off, it was pretty useless measure (the PIN is only requested when turning on the phone). I'm afraid I mangle this explanation badly, but I hope you understand my point.
is the SIM that is locked, not the mobile. Therefore i'm not sure if it really matters.
"PUK - system unavailable
The system is currently unavailable and we are working to restore this as soon as possible."
Perhaps they're fixing it.
hmm... t-mobile needs to do this.
I am from downunder and my wife got a new phone but they didn't tell her what the PIN2 was (i'd never heard of pin2 we set pin1 in the store) anyway strike 3 later and the phone was locked. A quick call to the provider and a couple of voice recognition steps later (after disclosing my date of birth) and the nice computer voice told me the PUK. Now that we have IMEI blocking the pin is kind of redundant so I don't see what O2 is doing is too much of an issue.
Bruce, Alfredo Octavio is totally right.
The PIN code is a (U)SIM card unlock code (reminder for our CDMA friends: SIM card is for GSM, USIM is for UMTS - commonly called smartcard). Once the right PIN code is entered, you can open your network session.
If a bad PIN code is entered 3 times, your smartcard asks for a PUK code to "reset" the PIN code.
There is not a relationship between the handset/device and the PIN/PUK code from the smartcard.
And in addition, most of the time (except in some cases in China & India) the (U)SIM belongs to the Operator not to the end user.
PIN = 4 digit code to activate SIM with 3 tries
PUK = 10 digit code with (I think) 5 tries to activate SIM
PIN2 = code for special services; often not known to or important for user.
Security code = code to access phone, typically 5 digits, permits changing of SIM card in phone and/or used for auto lock
To get the number from the phone may or may not be difficult. Someone may have their own number (as something like "self") in their phone directory. If the SIM is locked, this will require another SIM in the phone which may trigger the phone security code depending on user configuration.
The PIN code system seems to me to handle the time between when your phone is stolen and the time when you realise. That's may be a long time (e.g. for a phone stolen from home whilst you are on holiday). With a well chosen PIN, the thief has a very slightly more than 3 in 10000 chance of guessing (5 in 10^10 more). At this point searching for the PUK may be valuable for the thief.
PIN security really comes into its own in phones with autolock (like series 60 phones) which can have a security code just to use the phone. Since this more or less forces the thief to turn off the phone and move the SIM to another one, they need to know the PIN to use it. At that point you can be reasonably confident that the normal thief won't be able to call on your card.
Tmobile also do online PUK codes. In order to use it you have to register on their website and they then send a code to allow you to access the website account to your mobile phone!
Well, my sim card has the phone number written all over it (not by me). Maybe that's not the case for o2 though.
Have a look at how http://www.orange.co.uk have done this. They've got it right. The sign-up for their mobile phone support has two layers of authentication. 1. An eight digit code sent to your phone by SMS and 2. A four digit code negociated by the contract holder with Orange (by calling their helpdesk and talking to a warm body). Without those two things it's impossible to register an Orange phone number.
Once registered sign-in is with a normal userid/password challenge.
The system behind this has the ability to generate PUK codes but their security model appears to be more robust than O2's.
Most networks get it right. Why? because the networks bear the cost of illegal calls. Not always directly, but because there is so much competion they lose customers to this sort of thing. They either keep the customer by covering the cost or the customer gets a new connection from a different provider.
Well, I don't know where you all come from but in my country (germany) the mobile number is printed on the sim card. At least with the two provider I was. So taking out the sim-card and simply read it with your own eyes is the simplest way to get it :) And I can't understand people saying here this would'nt be an serious security flaw. I'm happy I'm not by O2 because this sucks.
UK SIM cards do not have mobile number on them.
PUK code exists to protect the data on the SIM, the phone book etc.
SIM cards are blocked by the network as soon as reported stolen. O2 in UK sent me a new pre-pay SIM when I lost mine, and transferred the balance from the last one.
p.s. If I go on holiday (without my phone???) and someone breaks in to my house, the SIM card with 20 quid on it would be the least of my worries!!
Nice that a representative responded. It gives a good illustration of the behavio(u)r/threat calculations that mobile companies go through when designing their security.
"the principle security measure is for the customer to report the loss/theft as quickly as possible"
Principle security measure? This is more like a hope and a prayer that users will always be in a position to identify and thefore reduce their own risk in a timely fashion -- the very opposite scenario to why robust controls are necessary in the first place.
"there is no way to determine the telephone number from the SIM or handset itself"
Wha? If I call another cell from the one I just found, it tells me the telephone number, right? Just one example of how simple it is to bypass the presumptions made by O2.
I have to agree with O2's assesment of the risk, not because I buy into their scenarios, but because of scenario 3: Most people do not set a PIN (I don't because my phone is not turned off enough, usually just when I get on a plane), so if someone stole a phone with a PIN locked SIM they would just ditch the phone and pinch another one which is probably unprotected.
"there is no way to determine the telephone number from the SIM or handset itself"
I believe what the representative is saying is that the only way you can get that information is by placing a call - you can't read it out directly.
This is really only likely to be useful if a criminal gets somebody's phone, and then wants to turn it off and back on, which would usually be a silly thing to do.
One interesting thing: on my Vodafone Germany prepaid SIM, I could _not_ disable its PIN. It would always ask for my PIN when I turned my phone on. Some phones would let me select "turn off PIN" and would fail; others simply wouldn't show me the "disable PIN" menu option.
Given that this was a prepaid SIM with Eu10 in credit, sitting inside of an Eu900 phone, having enforced protection of my SIM card seemed very silly.
Move the SIM to another phone (without PUK), call someone, see what the caller-id is. This turns scenario 1 into scenario 2.
So, basically you're screwed, report the phone lost and get it, and the SIM, barred.
The SIM is protected by PIN and PUK, not the phone. In other words, when you move the SIM to another (unlocked) phone, you will still need PIN (or PUK) to activate the SIM and place a call.
O2 can remotely disable the *phone*? Howzhat? Sounds scary.
Concerning knowledge of the phone number being sufficient to get the PUK to unlock it, this is the first I have heard that knowledge of the phone number is as good as the PIN.
On my family phones, we write (now "used to write") the number of the phone on the outside. This is to help us tell other people the number, when we so rarely dial it ourselves.
If such a practice renders ineffective, a security measure that we rely on, I think this should be made common knowledge.
So thank you Bruce for drawing the issue to our attention.
AFAIK, all GSM operators can remotely disable a phone AND sim card by blacklisting their serial numbers. It's part of the GSM specs (if it's not, please someone correct me) and was done this way exactly to disable lost/stolen phones. Never heard about misuse of this feature, neither on my country (Brazil) or anywhere else!
Yes, you are absolutely correct: every (GSM) phone has an IMEI code that can be blacklisted. Operators share these lists. As you said, SIM can be blocked as well.
BTW, then there are PKI-related PINs as well coming up/already in use in PKi-enabled SIMs. It'll be fun for help desks.
although of course with the right software you can set the IMEI to any number you want. At least for Siemens phones this is the case with a program the name of which I won't mention ..
Anyway, I just checked on my german cellphone (Vodaphone prepaid), and the number is _not_ written onto the SIM-Card. But since this is a prepaid card I don't worry about the problem much anyway. If it gets stolen, the thief now owns
a) a very old cellphone (got this for free from somebody who got a new one)
b) a card with about 5 EUR on it (yay!)
big deal. Bigger problem would be my contacts and calendar which are also stored on the phone.
I must be missing something, but assuming this is implemented in addition to the old system (banning a SIM once reported stolen), how does this decrease security? They're certainly not covering all their bases, but they've covered one more at least.
The O2 representative who conntacted you was very wrong in wehat they said,
"Scenario 1 - The phone is powered off. A PIN number would be required at next power on. Although the PUK code will indeed allow you to reset the PIN, you need to know the telephone number of the SIM in order to get it – there is no way to determine the telephone number from the SIM or handset itself."
There is a very easy way to get the number of a locked phone...
Basically there is a requirment that any phone (even locked ones) be able to dial emergency services (999/911/etc) so the phone from that point of view is still usable.
When you phone the emergancy number in the UK you are asked for Police Fire Ambulance, by the mobile phone company operator. When you reply you are put through to that service, the operator then (very helpfully) reads out the mobile phone number to the emergancy service you where put through to.
So as I said you can quite easily and quickly get the number of a locked mobile phone in the UK, and the man from O2 did not know what he was talking about.
I would sugest you "out him" and his EMail address so that we can all complain to him.
@Clive: Emergency dialing is also possible without a SIM, so I'm not sure the emergency operator will receive a phone number at all if the SIM is not active.
Otherwise, you could replace the SIM in a phone from a person you know the number from in order to impersonate him or her to some other service like a bank.
Many SMS-based shopping / authentication solutions can be broken into using this scenario.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.