You would be surprised at the number of places you can find a GSM SIM card. Outside of your mobile phone, they can be found in power meters, water meters, vending machines, etc. These SIM cards (virtually identical to the one in your mobile phone) are used for machine-to-machine communication. Essentially all of these devices need to make mobile phone calls to other machines, usually for billing.
Machine-to-Machine Fraud/Theft of Service
Because it’s just machines talking to other machines, they don’t really need a voice plan and most if not all of their usage will be data. If the idea of “borrowing” the SIM card from the power meter outside your house for a few “free” downloads crossed your mind, you wouldn’t be the first. But consider the story of a woman in Tasmania who received a SIM card stolen from a power meter and used it to download movies for four months. She eventually destroyed the SIM card, yet the police tracked her down due to the large number of personal calls she had made with her mobile phone. She received six months in jail followed by two years of probation and was ordered to repay the power company nearly US$200,000 for all the data used.
Cars with Smartphones: Telematics, Diagnostics, and Attackers
Power meters aren’t the only devices that need their own smartphones. TV commercials by auto manufacturers show a man calling his wife, before her airplane takes off, to ask her to remotely unlock the doors of their car. Remote unlocking, engine starting, GPS/mapping, vehicle recovery, and crash assistance are features of what are known as telematics systems. Usually you would pay a monthly fee to the manufacturer to have access to all these features. In some cases you can get diagnostic output from car sensors emailed to you.
Crash assistance is usually handled by the car calling a center run by the manufacturer. In the movie “Live Free or Die Hard,” actor Justin Long portrays a computer hacker who social-engineers the call center agent into remotely starting the car. That was Hollywood; yet at the recent Black Hat USA conference, security researchers Don Bailey and Mat Solnik expanded on earlier research to locate and attack car telematics systems.
Their previous research involved using mobile phone databases to help in identifying and locating specific mobile phones. The new research involves using those same mobile databases to locate machine-to-machine devices. The researchers were able to determine a given device had a machine-to-machine SIM card because it would not answer a voice call. This is similar to war dialing, in which an attacker dials a block of telephone numbers until he locates a computer modem instead of a live person.
Bailey and Solnik also figured out that telematics systems used machine-to-machine SIM cards to dial home and provide most of their remote services. By fuzzing binary or system text messages, the “attackers” were able to determine which messages would allow them to remotely unlock and start a particular model of car. They were basically replicating what that man’s wife did in the commercial–just without authorization. Fortunately they’re responsible researchers and not car thieves; they’re working with the car manufacturer to remedy this vulnerability.
These war-texting/text-fuzzing attacks aren’t the only ways to attack cars. The Center for Automotive Embedded Systems Security (CAESS), a joint venture of two universities, has demonstrated an attack involving inserting a CD with malicious (WMA) audio files into the stereo and taking over the automobile’s Engine Control Unit computer. The team succeeded in shutting down a running car by controlling the engine. Starting a car and shutting a car down remotely are both useful attacks, but they also managed to create a botnet that accepts commands and can exfiltrate data to the attacker using the machine-to-machine data connection.
As devices get smarter and more connected, we’re going to see more attacks targeted at them. The good news is that with researchers such as Bailey and Solnik we’ll be better prepared when these attacks eventually arrive.