GOPHERSET: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

GOPHERSET

(TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).

(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface known as the SIM Toolkit (STK). The STK has a suite of proactive commands that allow the SIM card to issue commands and make requests to the handset. GOPHERSET uses STK commands to retrieve the requested information and to exfiltrate data via SMS. After the GOPHERSET file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider's security configuration.

Unit Cost: $0

Status: (U//FOUO) Released. Has not been deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 13, 2014 at 2:05 PM • 13 Comments

Comments

NateFebruary 13, 2014 3:14 PM

Any comment on the Linksys router worm? https://isc.sans.org/diary.html?storyid=17633

At this point, we are aware of a worm that is spreading among various models of Linksys routers. We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900

The worm will connect first to port 8080, and if necessary using SSL, to request the "/HNAP1/" URL. This will return an XML formatted list of router features and firmware versions. The worm appears to extract the router hardware version and the firmware revision.

...

We do not know for sure if there is a command and control channel yet. But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm.

We call this a "worm" at this point, as all it appears to do is spread. This may be a "bot" if there is a functional command and control channel present.

Indicators of compromisse:

- heavy outbound scanning on port 80 and 8080.
- inbound connection attempts to misc ports

Detecting potentially vulnerable system:

echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

if you get the XML HNAP output back, then you MAY be vulnerable.

Bruce MangeeFebruary 13, 2014 8:23 PM

An older version of SIM attacks described in this video?
https://www.youtube.com/watch?v=5B7XyVWgoxg

Attack unused and unprotected Services of the SIM Card to implement very simple programs to send a SMS with available phone information. All without to know the key. If they know the key, the SIM security is broken anyway.

Perhaps it was not deployed because there are easier methods to gain the same information?

There are also Java capable SIM Cards shipped with newer Phones to make it a lot easier to ship the program with a preparded SMS to the phone.

Chuck FinleyFebruary 13, 2014 9:02 PM

Premises of Debate
Everyone took the oath (below) including the President. The President is the only one not accountable to the constitution.
To "support and defend the constitution against all enemies foreign and domestic"

This is the same argument big companies use to crush security analysis’s who hound vendors with relevant material vulnerability facts and then after a long overdue time, disclose to the public.

So, “Was Snowden justified”, whistle blower at the end of a devious rope or just decided to hang his bosses with it for fun.

Support
• Ben Wisner (ACLU) Snowden’s Legal advisor
• Daniel Ellsberg (leaker of 7k Pentagon papers)
40 years after the fact is "typical"

Ben Wisner---------
• Weak arguments |||
• Strong arguments||||||||||||||||||
• Weak arguments which follow stronger ones
• Extraordinary faults in his own premise
• Lies and Dam lies (Bullet list)
• Faults identified in oppositions premise ||||
• Wistful thinking ||||||


--------------------------------------

Daniel Ellsberg--------
• Weak arguments |||
• Very weak arguments||
• Extraordinary faults in his own premise
• Strong arguments|||||||
• Weak arguments which follow stronger ones|
• Extraordinary faults in his own premise
• Lies and Dam lies (Bullet list)
• Faults identified in oppositions premise||||||||||
• Wistful thinking |


Crucify
• Jim Woolsey former CIA Director (93-95) aka Theater role as CIR dir named “Hanious Overreach”
• Andrew McCarthy

James Woolsey
• Weak arguments |||||
• Very weak arguments ||||||
• Extraordinary faults in his own premise |||||
-Blaming Snowden for revealing "US intended to use Chinese Cyber weapons against them" which is exactly the same thing Obama mad real when he personally leaked that Stuxnet and Flame were both of US origin
-- Snowden did what he thought was responsible disclosure.
--Obama was neither responsible nor sober when he attributed US as owner of Iranian centrifuge malware
- Lies and Dam lies.
-- That Iran was responsible for 911 and being able to read Iranian emails could have stopped 911
--Anti CIA following technique revealed by Woolsey, use Faraday bag when in transit impacts
--Latin America Sex trade and Prevents CIA from following in real time Sex traders.

• Strong arguments
• Weak arguments which follow stronger ones
• Faults identified in oppositions premise
• Wistful thinking |

--------------------------------------

Andrew McCarthy
• Weak arguments|
• Very weak arguments||||
• Extraordinary faults in his own premise ||||||
- No single document intel disclosure could possible justify the treason.
- Faults Bush right after 911 for reacting.
- Obama is entitled due to being "elected" and following a difficult protocol
- Took away power by using private judges who never deny a FISA request. Requests are reworded to be correct.
- The Supreme court and 15 Federal judges that work for Obama can trump Constitution to ratify one person as Judge Jury and Executioner.
- Describes core issue as a Type A Alpha personality conflict between President and Snowden as rationale that Snowden not justified.

• Strong arguments
• Weak arguments which follow stronger ones
• Extraordinary faults in his own premise
• Lies and Dam lies (Bullet list)
• Faults identified in oppositions premise
• Wistful thinking |

----Round 2
Inverse Premises
• The ends justify the means when elected officials conspire to crap on the constitution
• Snowden was justified because he was / is correct that the ends don’t justify the means.

Andrew McCarthy
• The public already knew the means and did not know the detail some of which was in the public eye from 2008. You didn’t complain then you have no right to claim Snowden is Whistleblower now

-----------------------

Ben Wisner
• Federal judges have said in 2013-14 the program is almost certainly unconstitutional al
• Congress in 2013-14 has threatened to not renew patriot act.
• Clearly the Public and Courts did not bless by silence that the ends justify the means.

-----------------------

Woolsey
• Immediately went to the trough of "Meta Data" lies and Exceptionally Dammed lies
• Let’s executive branch only see what’s revealed on, “the outside of envelope and postmark”, which has been approved by courts. The ends DO justify the means, for what’s on the "envelope and postmark"

• The fact is they pull every bit of audio Meta data from audio
• The envelope reveals the Meta data related to the conversations, to the accents of the talkers, what’s on the TV or radio, how many people in the room, in the house, what might have played through computer audio on login data wrapped into the envelope. Just epic Lies.

-----------------------

Daniel Ellsberg
• Whistle blower is justified due to material observation that public elected officials and generals are laying in public. Just like they lied straight faced to everyone multiple times at 2013 Black Hat USA.
• All telephony content is recorded and fine grained turned into Meta data why should we believe them. Only due to Snowden!

Ben Wisner

This is where I got exhausted with the crucify sides pointless bloviating contributing no value but that the ends always justify the spin, asserting emphatically that the means and ends are irrelevant.

-Round 2 Audience Questions
• Was it necessary to disclose the amount and still seek the process he was trying to achieve. Snowden has disclosed zero documents. Journalists have!
• Does the damage justify Snowden means using professional Journalist judgments? Yes.
• Health of democracy is of no value to the powers in control.

Round 3 – Closing statements
Rating closing from 1-100
• Ben Wisner – Justified
• James Woolsey - Experience justifies the means when material spin is by request of NSA.
• Daniel Ellsberg – The Facility in Utah has only one purpose Content audio video decomposition. Meandered on closing focus what a waste.
• Andrew McCarthy – Rejects a premise that law enforcement rules derived from a misguided justification that operating within the bounds of the Constitution has supremacy.

Votes
Before
• For the Motion 29%
• Against the Motion 29%
• Undecided voters 42%

After Vote Difference Final Tally
• For the Motion +25% 54%
• Against the Motion +6% 35%
• Clueless voters -31 11%

The news is that after informed public debate 31 % decided and 3 to 1 decided that Snowden was justified!

No one brought up NSA implants directly which in my mind justifies Bruce’s “NSA leak of the day” as critical path for continued informed debate and discourse.

I applauded, (sometimes with the audience) 4 times to a speakers points, if you don’t think that the NSA might want to always and automatedly ‘know’ who I was for and who I was against by decomposing the meta data from audio content leaking by design from in home electronic devices, respectfully, you should count yourself ignorant and a fool.

As for Whistleblower media we the people dialogs, I turn evaluate Google bias, re Stuxnet and Flame and the NSA exploit of the day as compared to DuckDuckGo which does not store therefore cannot spin the search results.

Google
• Terms “Obama attributes United States and writer of malware”
o 1 poor, 2 very good hits and 1 excellent hit by the Washington Post.

• Terms “NSA Exploit of the Day”
o 10 excellent hits but exclusively points to schneier.com
o A searching user that stumbled on this would think Schneier.com was the squeaky wheel missing the scope of the reporting and resulting eco system dialog is vastly wider.

Repeat the two searches on DuckDuckGo for reference
• Terms “Obama attributes United States and writer of malware”
o 8 good direct hits from prominent diverse source origins.

• Terms “NSA Exploit of the Day”
o 80 good direct hits from prominent diverse source origins.

God I pray the US Supreme Court does not use Google. It would be a sin.

Mike the goatFebruary 14, 2014 12:48 AM

The NSA love cellular devices. I often pondered on the antiquated SIM toolkit functionality and the JavaCard functionality of USIMs being potentially a vector for exploits.

That said - given the uptake of smartphones and the plethora of potential ways that they can get their code onto a device - OTA from cellular provider or even better use their documented squirrel grip on Google and Apple to use their app delivery platform.

We know that Google can push framework and Play Store (the store itself) updates without any user confirmation - remember when the "Google Settings" applet appeared on everyone's handsets seemingly overnight? Apple has similar capability.

Nate: yeah it is interesting and we haven't heard much about it since.

xrcFebruary 14, 2014 5:35 AM

I used to do JavaCard Development back in 2009/2010, part of it was sending hidden sms for diagnostic.

Analysing the content (program instructions) of a SIM Card would be dirt cheap, but impossible without the encryption key. Phone operators will not hand that one out, we only had a handful of testing cards with keys and they were freakishly paranoid about them.

The Sim Toolkit needs to send APDU commands to the Handset in order to send the message.

On a dump phone, there is little one can to to detect this. On a rooted smart phone however, it is possible to hook up at this end and log the communication between the SIM and handset. We used old Windows Mobiles to do just that.

Also there are a couple of expert diagnostic tools on the market that hang between a phone and a sim card and record the protocol. (Some, like the Gemalto developer suite, even run on a PC and simulate a phone when talking to a SIM in a USB Card Reader. Very powerful for debugging!) It would be very easy to detect odd behaviour like this using a tool like that.

Mike the goatFebruary 14, 2014 6:02 AM

xrc: thanks for your illuminating comments. I am fiddling with cellphones at the moment as part of a paper I am potentially (co)authoring on uh "the secret life of your cellphone". We are experimenting with OpenBTS and a number of consumer phones but the SIM development angle is an interesting one and certainly a part of the picture we have neglected.

xrcFebruary 14, 2014 7:46 AM

@Mike I know that the CCC had it's own network and sold SIM cards at the 30C3. You can certainly buy blank USIM's for testing, so if you have your own network, I guess you can actually do a lot!

APDU is a tag-length-value protocol, and relatively easy to get into. (Lots of codes to look up though.) NFC is using the same protocol.

I quite liked JavaCard development. It is a bit like writing Assembler code in Java. One really odd behaviour is that variables are per default declared on EPROM and keep their value through power cycles. (common rookie mistake, if you get your app into a bad state, it will be stuck there.) The documentation on the Oracle site is a good starting point. Sim Toolkit functionality comes on top of that.

There are a couple of freeware tools that can be used, but if you have some spare cash on your project, having a decent IDE will speed up things immensely. A Simulator and some debugging tools are well worth to have.

There are 4 different type of text messages (0-3), Class 2 and 3 SMS are the hidden ones. Depending on MNO and the cards they use, they can even write new instructions on the SIM over the air! You can also request a lot of interesting values from handset, like IMSI, MCC, MNC, Cell ID, ... etc. In theory even Signal Strength and TA, but we've seen few handsets who returned something sensible.

The Sim Toolkit also allows your application to be event driven. Do something on every CellID change, or arrival of SMS Class n. You can also develop a very basic manu driven user interface. If you select one of the menus, it will kick off an event too.

SteveFebruary 14, 2014 8:26 AM

This is particularly concerning because all cell phone architectures give SIM access to the GSM module independent of the smart phone processor completely bypassing the phone OS. SIM cards have an independent processor, can run apps, and directly access the wireless chipset.

I remember seeing a conference a few years back, before it was picked up by Karsten Nohl, where 3 young hackers presented for the first time at a conference how they had made a small bulk purchase of SIM cards and figured out how to install apps on them. Can't find the video :/

One interesting fact they had mentioned was that there are no good cheap development kits for smartcards. There are also some interesting dynamics. They were saying that there was a move by mobile providers to provide financial transaction apps via SIM to help them control the mobile app environment. Clearly with gapps and itunes that's become a useless approach.

Mike the goatFebruary 15, 2014 6:35 AM

xrc: thanks... Yeah this was particularly concerning re the SIM potentially responding to an SMS with information that could further betray the privacy of the user. Let's face it - in an urban environment where there are lots of cells deployed the MNO would have a fair idea as to the location of the user.

So - we already know that even without our handsets betraying us with actively sending GPS or other location assisting information. What interests me more is the entire stack and what other implications there are. Given that only a handful of manufacturers produce GSM base station equipment I would love to see how this equipment would respond to, uh, malicious transmissions... Duplicate IMEIs, a flurry of malformed tx's to the SMSC, etc.. Basically take the spec and murder it to see what happens. Now of course testing on real world equipment would probably contravene several federal comms laws, but I suspect that there are some interesting vulnerabilities to be discovered in how this proprietary equipment handles unusual traffic...

Expanding upon this thought - and this is especially relevant in cohntries that have a single incumbent telephone provider who is likely using the same manufacturer's equipment at each site - imagine that one found a particular action that rendered any part of the chain inoperable. With strategically placed "evil" radios you could potentially take out an entire area's cellular communications.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..