[liberationtech] New Satphone Safety Guide

Jacob Appelbaum jacob at appelbaum.net
Wed Mar 21 22:00:08 PDT 2012 

On 03/21/2012 09:19 PM, Collin Anderson wrote:
> Would anyone in this conversation be so kind as to satisfy a tangential
> curiosity of mine. The case of Alan Gross in Cuba seems so wrapped up in an
> under-explained and over-hyped piece of equipment:
> 
> On his final trip, he brought in a "discreet" SIM card -- or subscriber
>> identity module card -- intended to keep satellite phone transmissions from
>> being pinpointed within 250 miles (400 kilometers), if they were detected
>> at all.
> 
> 
> http://www.businessweek.com/ap/financialnews/D9SSHGPG2.htm
> 
> Beyond the obvious issues with that statement; does anyone know what they
> are referring to?
> 

Whoa - I had not caught that part of the story with Alan Gross... I
wonder how he got his hands on the SIM? I've tried to get them and it's
non-trivial. It requires either favors, a trade or basically a ton of
cash from the "right" group of people.

My understanding is that there are some special SIM cards that have two
unique properties that matter for location privacy. The first property
is that the HLR database knows that the SIM is special and so it will
authorize a connection without a GPS location in the initial uplink. The
second is that the device (phone, modem, etc) firmware knows that this
SIM is special by checking some field on the SIM itself and so it won't
send the GPS coordinates but rather the spot beam. We can easily
discover what the field is with a SIMTrace[0] tap if we acquire one of
these SIMs.

My understanding is that the firmware still fetches the GPS coordinates.
It then looks up the GPS location in a coverage table of all spot beams
for the planet and then the firmware returns the spot beam where the GPS
coordinates are located. The device then sends the spot beam into space,
etc.

A few years ago I found some public data on this and I think the company
offering these SIMS in public is Deltawave[1] - I haven't however found
an obvious way to buy them on their website. This is also very specific
to BGAN and it is quite clearly a network by network, firmware by
firmware specific information.

In theory if we capture the setup with a discreet SIM with SIMTrace, we
can MITM a normal BGAN SIM and fake a a discreet SIM response with just
a few dollars of hardware. The network might reject it, obviously. But
hey, if anyone has a discreet SIM sitting around, I'd be more than happy
to see if it works in a country where it is legal to not send the GPS
location of the device.

Alternatively, one could pick a BGAN device and build a GPS MITM tool
for the actual hardware without any such special SIM...

All the best,
Jacob

[0] http://www.sysmocom.de/products/simtrace
[1] http://www.deltawavecomm.com/

More information about the liberationtech mailing list