MONKEYCALENDAR: NSA Exploit of the Day
Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:
MONKEYCALENDAR
(TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).
(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface known as the SIM Toolkit (STK). The STK has a suite of proactive commands that allow the SIM card to issue commands and make requests to the handset. MONKEYCALENDAR uses STK commands to retrieve location information and to exfiltrate data via SMS. After the MONKEYCALENDAR file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider’s security configuration.
Unit Cost: $0
Status: Released, not deployed.
Page, with graphics, is here. General information about TAO and the catalog is here.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
Clive Robinson • February 14, 2014 4:51 PM
The key detail here is,
In both smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider’s security configuration
Some SIMs have reasonable quality crypto others have single DES or security holes large enough to push a tank though.
Aproximately 1/6 SIM cards are eaisly crackable today, back then it would have been over a third.
Further contrary to expectation not all service providers are that concerned about the security of SIM keys, which means “implanted employees” or “overnight black bag jobs” will get copies of them.
All that then has to happen is the handset associate with a “cell tower” controled by the attacker and out goes the OTA message.
As has been indicated befor a couple of hundred bucks will buy you a Pico-Cell and the other bits (amp directional antennas etc) to get the person in their home or office.
Alternativly a SIM can be “cloned” and just swapped by an operative who can get access to your phone for a couple of minutes. This works very effectivly when a person is not using their “home network” so if “customs/imigration” borrow your phone assume it’s been “owned”…