Securing SIM access

The SIM is used for security critical services. The card holds secret keys and sub- scriber information that must be well protected. The smart card technology pro- vides tamper resistance protection. However, the interface to the card is not protected in any other way than that the card is “opened” with a secret PIN. Once the card is opened, it will perform most tasks that are requested (some tasks may require a second PIN to be entered). The SIM access profile allows the card “interface” to be extended over the Bluetooth link. Consequently, it is very important that the wireless link is well protected. We will describe the security mechanism mandated by the profile [11] and also discuss additional security measures that SIM access profile implementers should take.

SIM access mandates the following:

SIM Wireless network SIM access server with SIM card Bluetooth link

SIM access client with network access

WLAN or cellular link

• Security mode 2 or 3 shall be used.

• The client and server must be paired before they set up a SIM access connection.

• A pass-key with length of at least 16 decimal digits shall be used at the pairing. Furthermore, fixed pass-keys are not allowed.

• The server shall always authenticate the client.

• The Bluetooth link between the client and server shall always be encrypted and the key length shall be at least 64 bits.

These requirements ensure a good basic security level for the SIM access connection, since it is not so easy to do a brute force attack on a 16-digit pass- key. Furthermore, the Bluetooth authentication and encryption algorithms are sufficiently strong (see Chapter 7). However, a 64-bit encryption key is a little bit too short, and whenever possible a 128-bit key is recommended instead. Entering a 16-digit pass-key can be cumbersome for the user. Actually, users tend to choose low entropy pass-key values when such a long string as 16 digits is required. A better approach than having the user choose the pass-key is to let the server generate the pass-key value and display it to the user. The user then enters the same value into the client device. The pass-key needs to be generated by choosing the pass-key bits uniformly and at random. The improved pairing that we described in Chapter 9 does not have the problem with entering a long pass-key and suits well also for the SIM access profile.

The security required by the SIM access profile gives the necessary basic protection for the message exchange between the client and server. However, there are additional security measures that need to be taken in order to avoid introducing security holes in the SIM access implementation. One of the prob- lems is that in an implementation that just follows the specification, all messages from the client to the server will be accepted and forwarded to the SIM. This is a potential security risk for the sensitive functions in the subscription module. All functions will be available for the remote device, that is, the SIM access client. This device might have been compromised in some way or it might have been infected by a virus or other harmful software. Hence, there must be a way for the server to restrict the access to the subscription module.

This can be achieved if, at the security pairing, the server selects the set of services in the SIM that the client should be allowed to access. The set of services can be a default set, or the server may ask the owner of the server device to decide which services the client should be allowed to access. This should be a subset that limits the damage in case of a compromised client. Then the record of allowed services should be stored in a special and protected access control database. When the client has been authenticated against the server, a filtering

process or a security filter will check all messages from the client to the subscrip- tion module, as is illustrated in Figure 10.7. The filter makes sure that only mes- sages allowed according to the access database are forwarded to the subscription module.

Another security problem with the SIM access profile is that the PIN needed to open the SIM is sent from the client to the server. This means that if the client device is untrusted or infected by malicious software, the PIN for the card can be intercepted by a third party. To avoid this, the access filter in Figure 10.7 shall not accept PIN commands from the client, but demand the SIM to be opened from the server device. Then the user must enter the SIM PIN into the trusted server device before the SIM access profile connection is set up. Clearly, this implies that a proper input interface must be present at the SIM access server.

References

[1] Bluetooth Special Interest Group,Bluetooth Security White Paper, Version 1.0, 19 April 2002.

[2] Gehrmann, C., and K. Nyberg, “Enhancements to Bluetooth Baseband Security,”Proc.

Nordsec 2001, Copenhagen, November 2001, pp. 39–53.

[3] Bluetooth Special Interest Group,Specification of the Bluetooth System, Version 1.1, Profiles,

Part K:6 Headset Profile, February 2001.

[4] Bluetooth Special Interest Group,Specification of the Bluetooth System, Version 1.0, Per-

sonal Area Networking Profile, February 2003.

[5] Bluetooth Special Interest Group,Specification of the Bluetooth System, Version 1.0, Blue-

tooth Network Encapsulation Protocol (BNEP) Specification, February 2003.

Server Security filter Client Access control database Check if access is granted? M SIM If OK, forward M to SIM M Response

[6] IEEE, IEEE Std., 802.1x-2001, Version 2001, Port-Based Network Access Control, June 2001.

[7] Dierks, T., and C. Allen,The TLS Protocol, Version 1.0, RFC 2246, January 1999. [8] Kent, S., and R. Atkinson,IP Encapsulating Security Payload (ESP), RFC 1827, November

1998.

[9] 3rd Generation Partnership Programme,3GPP TS 11.11, Specification of the Subscriber

Identity Module Mobile Equipment (SIM-ME) Interface, Version 8.10.0, September 2003.

[10] International Organization for Standardization, ISO/IEC 7816-3 Information Technol- ogy—Identification Cards Integrated Circuit(s) Cards with Contacts—Part 3: Electronic Sig-

nals and Transmission Protocols, 2nd ed., 1997.

[11] Bluetooth Special Interest Group,Specification of the Bluetooth System, Version 0.95, SIM

Throughout the book, several terms have been used. Some are commonly used within the field of security research, while other terms are specifically related to Bluetooth. Below we give short definitions for all of these.

Active wiretapper A wiretapper that is capable of injecting and modifying

messages at will.

Ciphertext Data protected through the use of encipherment. The semantic

context of the resulting data is not available.

Claimant The entity that claims to be a specific peer entity, that is, claiming a

specific identity.

Connectable A Bluetooth device that regularly performs a page scan, and

therefore can be reached by other devices knowing its device address.

Denial-of-service (DoS) attack The prevention of authorized access to

resources or the delaying of time-critical operations. The resulting system degra- dation can, for example, be the result of the system being fully occupied by han- dling bogus connection requests.

Discoverable A Bluetooth device that regularly performs inquiry scanning and

therefore can be detected by other devices.

Eavesdropper Seepassive wiretapper.