Tweet
Cellular carriers hate this trick: Using SIM tunneling to travel at light speed"
Adrian “atrox“ Dabrowski, CISPA Helmholtz Center for Cybersecurity , He/Him/They/Them
Gabriel K. Gegenhuber, University of Vienna & SBA Research, He/Him/They/Them
Tool, Exploit
45
Cellular networks form large complex compounds for roaming purposes. Thus, geographically-spread testbeds for masurements and rapid exploit verification are needed to do justice to the technology's unique structure and global scope. Additionally, such measurements suffer from a combinatorial explosion of operators, mobile plans, and services. To cope with these challenges, we are releasing an open-source framework that geographically decouples the SIM (subscription) from the cellular modem by selectively connecting both remotely. This allows testing any subscriber with any operator at any modem location within seconds without moving parts. The resulting measurement and testbed platform "MobileAtlas" offers a scalable, controlled experimentation environment. It is fully open-sourced and allows other researchers to contribute locations, SIM cards, and measurement scripts.
Using the above framework, our international experiments in commercial networks revealed exploitable inconsistencies in traffic metering, leading to multiple data "phreaking" opportunities ("free-ride"). We also expose problematic IPv6 firewall configurations, hidden SIM card communication to the home network, and fingerprint dial progress tones to track victims across different roaming networks and countries with voice calls.
Adrian Dabrowski wrote his PhD about large infrastructures including the identifying fake base stations (“IMSI Catchers”). Before his PhD, he was a founding member of two hackerspaces in Vienna, Austria, and on the board of one of them.
@atrox_at
https://www.ics.uci.edu/~dabrowsa/
Gabriel Gegenhuber is PhD candidate in Vienna, Austria. Gabriel is conducting research in the area of cellular and mobile networks. This includes Internet measurement technologies, traffic classification systems (e.g., deep packet inspection), and technical measures that are used to detect net neutrality and privacy violations.
@GGegenhuber
https://informatik.univie.ac.at/Gabr...arl.Gegenhuber
REFERENCES:
Gabriel K. Gegenhuber, Wilfried Mayer, and Edgar Weippl. Zero-Rating, One Big Mess: Analyzing Differential Pricing Practices of European MNOs. In IEEE Global Communications Conference (GLOBECOM), 2022
Gabriel K. Gegenhuber, Wilfried Mayer, Edgar Weippl, Adrian Dabrowski. MobileAtlas: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research., 2023, In proceedings of the 32th USENIX Security Symposium 2023.
David Allen Burgess. What is AT&T doing at 1111340002? Welcome to the magical world of proac-tive SIMs., 2021. https://medium.com/telecom-expert/wh...2-c418876c212c
David Allen Burgess. More Proactive SIMs., 2021. https://medium.com/telecom-expert/more-
proactive-sims-f8da2ef8b189
OSMOCOM. Simtrace 2. https://osmocom.org/projects/simtrace2/wiki,
osmocom.org. pySim-prog - Utility for programmable SIM/USIM-Cards. https://osmocom.org/projects/pysim/wiki,
The MONROE Alliance. Measuring Mobile Broadband Networks in Europe. https://www.monroe-project.eu,
Adrian “atrox“ Dabrowski, CISPA Helmholtz Center for Cybersecurity , He/Him/They/Them
Gabriel K. Gegenhuber, University of Vienna & SBA Research, He/Him/They/Them
Tool, Exploit
45
Cellular networks form large complex compounds for roaming purposes. Thus, geographically-spread testbeds for masurements and rapid exploit verification are needed to do justice to the technology's unique structure and global scope. Additionally, such measurements suffer from a combinatorial explosion of operators, mobile plans, and services. To cope with these challenges, we are releasing an open-source framework that geographically decouples the SIM (subscription) from the cellular modem by selectively connecting both remotely. This allows testing any subscriber with any operator at any modem location within seconds without moving parts. The resulting measurement and testbed platform "MobileAtlas" offers a scalable, controlled experimentation environment. It is fully open-sourced and allows other researchers to contribute locations, SIM cards, and measurement scripts.
Using the above framework, our international experiments in commercial networks revealed exploitable inconsistencies in traffic metering, leading to multiple data "phreaking" opportunities ("free-ride"). We also expose problematic IPv6 firewall configurations, hidden SIM card communication to the home network, and fingerprint dial progress tones to track victims across different roaming networks and countries with voice calls.
Adrian Dabrowski wrote his PhD about large infrastructures including the identifying fake base stations (“IMSI Catchers”). Before his PhD, he was a founding member of two hackerspaces in Vienna, Austria, and on the board of one of them.
@atrox_at
https://www.ics.uci.edu/~dabrowsa/
Gabriel Gegenhuber is PhD candidate in Vienna, Austria. Gabriel is conducting research in the area of cellular and mobile networks. This includes Internet measurement technologies, traffic classification systems (e.g., deep packet inspection), and technical measures that are used to detect net neutrality and privacy violations.
@GGegenhuber
https://informatik.univie.ac.at/Gabr...arl.Gegenhuber
REFERENCES:
Gabriel K. Gegenhuber, Wilfried Mayer, and Edgar Weippl. Zero-Rating, One Big Mess: Analyzing Differential Pricing Practices of European MNOs. In IEEE Global Communications Conference (GLOBECOM), 2022
Gabriel K. Gegenhuber, Wilfried Mayer, Edgar Weippl, Adrian Dabrowski. MobileAtlas: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research., 2023, In proceedings of the 32th USENIX Security Symposium 2023.
David Allen Burgess. What is AT&T doing at 1111340002? Welcome to the magical world of proac-tive SIMs., 2021. https://medium.com/telecom-expert/wh...2-c418876c212c
David Allen Burgess. More Proactive SIMs., 2021. https://medium.com/telecom-expert/more-
proactive-sims-f8da2ef8b189
OSMOCOM. Simtrace 2. https://osmocom.org/projects/simtrace2/wiki,
osmocom.org. pySim-prog - Utility for programmable SIM/USIM-Cards. https://osmocom.org/projects/pysim/wiki,
The MONROE Alliance. Measuring Mobile Broadband Networks in Europe. https://www.monroe-project.eu,