Does the Skinny SimCard to be deployed by Equity Bank pose a threat?

EQUITY-BANK-KENYA-Thin-SIM-card

 

EQUITY-BANK-KENYA-Thin-SIM-card
(image courtesy)

In April this year,  Communications Authority of Kenya (CAK ) announced that it had awarded three MVNOs (Mobile Virtual Network Operators) licenses to operate. One of the recipients are Finserve Africa Limited a subsidiary of  Equity Bank, one of the largest and  fastest growing banks in Kenya.

In July, Equity Bank launched its services revealing the Joint venture with Airtel Kenya.  In this venture, equity is the MVNO and Airtel the MNO (Mobile Network Operator).  What this means is that Equity will not lay any infrastructure and will insteadl use 60 % of Airtel’s infrastructural capacity to deliver its services.  Equity also revealed the technology that they will be using in order to counter the existing challenges faced by many Kenyans mainly in regards to use of simcards and number porting which never took off. This was mainly because a lot of Kenyans have to rely alot of Mpesa mobile money thus they are in effect locked to one network.

Equity chose to use a technology that was invented in China nearly a decade ago to counter this challenge as well as offer other benefits and services to its customers. Often referred to as either the Skinny Sim, paper thin, wafer Sim  or slim sim cards. This a technology that has the potential to completely disrupt the telecommunications industry in Kenya.

According to the Startup Academy, Equity will introduce paper thin SIM cards that the customers will use to access its services. It plans to issue free SIM cards to its 8.7 million customers . You do not need to have another phone or a phone with dual SIM card capabilities to use the Equity SIM card. You do not have to migrate into Equity’s network to use its mobile banking services. This SIM-card will work alongside your current sim card, regardless of your mobile phone service provider.

The skin SIM  gets married to the existing card and turns your phone into a dual SIM although it has only one slot. If somebody calls you on your Equity line, you can pick it and if they call your other network, you can do the same.

You can now see why Safaricom has become jittery of this. Safaricom alleges that the Skinny SIM poses a danger to its M-PESA service as it can be used to carry out ‘man-in-the-middle’ attacks on M-PESA service and reveal the M-PESA PIN and other transaction details. To support this allegation, Safaricom engaged the  the GSM Association (GSMA) echo these concerns. As Tom Makau clearly states in his article on the same;  GSMA is an association of the willing and represents the interests of the mobile operators. Therefore, there is no way GSMA would have contradicted the claims by Safaricom.

We therefore decided to engage one of our Hacker Cyber Security Evangelist friend to carry out a test to determine the following:-

1. Is the skin slim secure

2. Is it capable of carrying a MIM (Man in the middle) attack

3. What vulnerabilities in the existing GSM simcards can it exploit

PS. Below is a Technical analysis of the Skinny Slim and is Part 1 of a 3 part series on the same. The section below is a verbatim breakdown by our friend Asepm (not his real name)

I am not an enforcer, sadly… that’s why I break things to find out how they tinker, what makes x itself and why if you add y to it, what will happen, so I took a challenge, well not really a challenge if you having major fun debugging an entire system that is built on theories of what ifs and what it can or cant do….

Well disclaimer: I don’t mind critics, I also don’t mind opinions … I however do mind and have major issues with obscure reports, hypothesis and unfounded information so to clarify where I stand in thin-sim / slim-sim I will push this to the limit hence here we go.

I am a researcher (security and philosophy) and hence my rants and findings are to help us understand this technology better.

The following components have been identified:

• Handset– The handset comprises the cell phone and will be operated by the user.

User Land application– A User Land application is an optionally download-able application, which can be installed on the handset. These application(s) are used in the Vodafone Wallet-related scenarios.

• Handset Operating System- The Handset Operating System contains all standardized access mechanisms to the SIM Card and its features. These are the SIM Tool kit application and the USSD (Unstructured Supplementary Service Data )

◦ Secure Access Layer– The Secure Access Layer of the Handset’s Operating System allows User Land application to establish a communication channel to applets with the SIM Card. The Secure Access Layer is responsible for enforcing the access restrictions as defined in “NFC Handset APIs

Requirement Specification 1

SIM Card– The SIM Card is a classical SIM, which provides the standardized GSM-related interfaces and the two different applet applications, which are:

◦   SIMToolkit application( used within Mobile Money related uses cases)

◦ Mobile Wallet applet( These are Java-based set of applications, which are executed within the Global Platform 2.2 environment 2)

• Thin SIM- The ThinSIM product introduces new risks to the existing ecosystem. It consists of two distinct sets of connectors which allow the interception and manipulation of the communication stream to the SIM Card base on the implemented ThinSIM Logic. carrier: mobile service provider. This constitutes of data, sms and voice and maybe any other provided service such as mobile payment services.

Sim Tool Kit

 

Thin Sim is not new

Thin-sim is an appliance that has already existed in Kenya long before the introduction and hype , so what has it done this time that it hasn’t before, well it has brought competition, see no one opposed it when it was been used as a simple unlock method as the famous Gevey card, say what… yes Gevey card was a simple method to unlock the iPhone devices that had not fully matured out of the contracts, well that worked out for the clients and obviously the Mobile service providers that the clients wanted to join and no one did a review on them as GSMA wants, so what’s the big holla baloo, well I will be sure to write up on that later on. For now, lets focus on the technical aspect.

This is how slim-sim is supposedly going to affect the existing Mobile/STK (Sim Tool Kit) applications:

USSD-Tier 1
The USSD calls and exchanged messages can be observed by the ThinSIM product. It will be able to access the PIN, which is used for authentication purposes.

USSD-T2
The ThinSIM product can initiate transactions on behalf of the user without any notification.

STK-T1
The messages from the SIM Toolkit applet to the Vodafone backend can be tampered.

STK-T2
The input sent to the SIM Toolkit applet can be intercepted and tampered.

STK-T3
The ThinSIM product can eavesdrop the PIN used for authentication.

STK-T4
The ThinSIM product can simulate user behavior and conduct transactions without any user notification.

These are the prevalent attacks/insecurities suggested on the sim application from the thin-sim, well I wont argue and say this is false. As a matter of fact, its very possible this exists and can be done, then again, the recent icloud hacking taught us an important lesson, no technology lacks vulnerabilities or  hack proof.

(Image courtesy: http://www.kenyamobi.com/)

Facebook Comments

2 comments

  1. mugzz Reply

    Nice article! I agree that all these vulnerabilities are possible, but as GSMA said, only if the cards are of poor quality, or intentionally designed to make these exploits.. We should allow a quality assurance team to run tests and if found OK, they should be given the go-ahead to deploy. Let’s not stiffle technology & innovation.

  2. Pingback: Communications Authority of Kenya's ability to effectively regulate Equitel to be tested - AfroMumAfroMum

We'd love to hear your thoughts on this article

This site uses Akismet to reduce spam. Learn how your comment data is processed.