Hacker News Re-Imagined

What is AT&T doing at 1111340002?

  • 1185 points
  • 14 days ago

  • @mperham
  • Created a post

What is AT&T doing at 1111340002?


@0cVlTeIATBs 14 days

Replying to @mperham 🎙

When I read about "binary blobs" present in electronics like in a SIM, a baseband processor, or DDR memory controller or CPU management engine, the risks they pose seem distant. This opens my eyes a bit to that they actually do phone home, hidden from and unblockable by the OS.

Reply


@nulbyte 14 days

Replying to @mperham 🎙

> what a telecom engineer would call an “NANP E.164”.

NANP and E.164 are standards. NANP stands for North America Numbering Plan. E.164 is the international analog to NANP for public numbers. No telecom engineer would call a number an "NANP E.164." The number of a network element like an SMSC is simply called an address.

Reply


@sdoering 13 days

Replying to @mperham 🎙

I am wondering if this is also happening in the EU or with customers from the European Union. The provider would probably put something to the effect of "we can do what we want" into their fine print.

But I am not sure if this is legally clear cut under the regulations of the GDPR.

Reply


@Scoundreller 13 days

Replying to @mperham 🎙

Now somebody needs to create a shim/blocker board.

Some shims already exist that intercept phone<->SIM comms for carrier unlocking and ???

https://www.geveypro.com/

https://www.dhgate.com/product/ios14-x-5g-unlocking-turbo-si...

Reply


@fortran77 14 days

Replying to @mperham 🎙

It's interesting that this message even came up when the user's messages were subpoenaed. This was not in the set of "user messages" and a case could be made for not including it at all.

Reply


@easton 14 days

Replying to @mperham 🎙

I was wondering how AT&T knew I got a new phone when I just moved my SIM over. That seems like a over complicated way to do that. Seems like when it does the initial handshake with the network the different IMEI would be enough (unless this is the initial handshake).

Reply


@ChrisMarshallNY 13 days

Replying to @mperham 🎙

It should be interesting to see what voice-sent messages will do to "driving while txting" charges/lawsuits.

I have an iPhone. I often send "Siri-texts" while driving ("Hey Siri, send a text to my wife, saying that I will be home in fifteen minutes.").

There's no way to tell, upon reviewing the conversation, whether or not the text was sent by hand, or by voice.

Reply


@WaitWaitWha 13 days

Replying to @mperham 🎙

It is always a pleasure to watch the young ones rediscover the world. :D

Yes, carriers should be more transparent. Yes, even in general IT circles, this is not well known. This is known and not surprising in digital forensics circles. You should have seen the SS7 shenanigans!

I have a special corner in my heart for AT&T. The dark, dank, where all-my-monsters-live corner. Once, I have asked them to send me telco logs, they sent me 30 some CDs with the logs, but only origination details. Then, on further legal nudging they send me the other half, again in 30 some CDs. 60 CDs. They didn't even fill the discs, so the entire DB ended up to be ~17GB.

Reply


@numair 13 days

Replying to @mperham 🎙

Ahh this is so useful that it's at the top of HN.

We've (probably) arrived at one of those "hidden" dominant operating systems out there in the world: JavaCard OS. It's not just (probably) in your cell phone SIM, it's also (probably) in your credit cards. Add all of those devices up, and you realize that, in a weird way, if aliens were to inspect the activity of humans, they'd say, "the humans seem to be using some sort of weird thing they call 'JavaCard OS' to run their society."

If anyone is a JavaCard OS master, shoot me an email - numair@numair.com. I'm having some IC card issues that could use some external input...

In terms of the linked article, I think this part makes it clear what's going on, if we are to take an innocent view on things:

> After the lab work, deposition of an AT&T employee revealed that the only other trigger is a firmware update of the baseband processor. That is also consistent with the SIM requesting the IMEISV, since the “SV” part means “software version”, and it is updated every time the baseband processor loads new firmware. In this particular case, the phone had recently downloaded an update that included new baseband firmware. That was almost certainly the trigger for this message.

If I was a network engineer, I'd probably want a way to figure out whenever someone's putting new equipment on my network. This is a brilliantly sneaky way to do it. There's probably other uses for this, though, and you can imagine that your favorite intelligence agencies have thought about it long before it showed up in a Hacker News article...

Reply


@unethical_ban 13 days

Replying to @mperham 🎙

This is something at home in the pages of 2600 Magazine. I didn't know the SIM could send things without the main OS knowing.

Could that SimTrace2 device could be used as a kind of firewall to prevent the SIM from acting independently of the phone?

Reply


@emodendroket 14 days

Replying to @mperham 🎙

This seems like a terrible series of individually reasonable decisions that could easily lead to wrongful legal outcomes.

Reply


@jaclaz 13 days

Replying to @mperham 🎙

Side question:

>The RP destination number, +14047259800, is a normal-looking US number, what a telecom engineer would call an “NANP E.164”. A Google search turns up documents showing that this number is associated with an AT&T “service control point” (a sort of server) that was made by Sun Microsystems. This is most likely a Sun Solaris server running an Oracle SMSC package, physically located in Atlanta, GA. Interestingly, this is not the SMSC number that AT&T uses for normal texting (+13123149810). This is a special SMSC that is used for special applications.

How many SIMs has AT&T around? (I assume millions.)

A single Solaris server (which I imagine to be a little dated) can manage the whole stuff?

It must be pretty much efficient or these data must be transmitted very seldom.

Reply


@tata71 14 days

Replying to @mperham 🎙



@rsync 14 days

Replying to @mperham 🎙

Even in relatively technical circles, like HN, many people are not aware of this and I use every opportunity I have to reiterate:

A SIM card is a full blown computer with its own CPU and memory.

Your carrier can upload and run arbitrary code without your consent or knowledge. They can do this at any time.

This means that your "phone" is actually three different computers running in concert - the actual phone itself (iOS or Android or Symbian), the baseband processor running the baseband code, and the SIM card.

Reply


@rootsudo 14 days

Replying to @mperham 🎙

" The point here is that the cellphone literally has a mind of its own, in fact multiple “minds”, including in the SIM. These various minds might not even be talking to each other, and just because a phone did something, that doesn’t mean that user caused it."

Yes, baseband, modem f/w and the operating system work together but don't have to talk to one another.

A great read about be REX, from Qualcomm that goes into more detials - https://fahrplan.events.ccc.de/congress/2011/Fahrplan/attach...

All the fun Qualcomm PDF's seem to be missing from the net now, but there were more official/confidental PDF's that went into details besides this: https://en.wikipedia.org/wiki/REX_OS

BUt even reading from the old dead CDMA2000/eVDO standard you can see more of this too - https://ftp.unpad.ac.id/orari/library/library-ref-eng/ref-en...

And more on "what is a qualcomm chipset" https://ftp.unpad.ac.id/orari/library/library-ref-eng/ref-en...

Yes, these links are not for GSM, but Qualcomm makes GSM and these carry over as a standard, and these 10-15yr old slides are amazing and should be archived too - they used to be public even on Qualcomm sites too.

But thank you for the https://yatebts.com/ link - that is so cool, what I do with diagnostic and fun tinkering is with Qualcomm Tools that I no longer have access too. QPST, QXDM, etc.

Reply


@14 13 days

Replying to @mperham 🎙

Reminds me of how I ended up with a U2 album on my iPhone. I never put those files there not asked for them or gave permission. Made me wonder what else could they plant on my phone.

Reply


@userbinator 14 days

Replying to @mperham 🎙

Whenever I think the Internet protocol stack is too complex, I take a glance through the (also freely available) 3GPP specifications to refresh my perspective. They are so thick and dense it's a miracle that everything works, and I remind myself that people came up with all of it and there are probably experts who know far more than I ever will about that area. Nonetheless, I'm not surprised that they are full of little-known features like this.

Reply


@beeforpork 13 days

Replying to @mperham 🎙

Why is this number even on the list of SMS activities? Isn't that list compiled and issued by AT&T? Couldn't they just hide those target SMS numbers because they are, well, they could say, needed for technical implementation of SMS processing? It puzzzles me that they list these and afterwards do not tell what they really are.

Reply


@boramalper 13 days

Replying to @mperham 🎙

Would eSIM[0] improve the state of affairs with respect to privacy?

On the one hand, as SIM circuits are now being shipped with phones, I can imagine the manufacturers having the opportunity, for the first time ever, to control the operations of a SIM such that it’s no longer a black-box. On the other hand, due to legislative and practical reasons, eSIM modules would likely be no different than those black-box baseband processors with the further downside than we would also become unable to intercept the communication between a SIM (whose circuitry is now embedded) and a phone.

I would love to read the answers of those who are more knowledgeable on the subject.

[0] https://en.wikipedia.org/wiki/ESIM

Reply


@mensetmanusman 13 days

Replying to @mperham 🎙

This must be why the carriers are resistant to phones going to e-sims.

Reply


@walterbell 14 days

Replying to @mperham 🎙

Follow-up article by same researcher, including Verizon and T-Mobile SIMs, https://medium.com/telecom-expert/more-proactive-sims-f8da2e...

> Of the five tier-1 SIMs I just have “laying around”, four of them proactively send messages or initiate connections through the cellular modem. Since these operations are happening between the SIM and the baseband processor, they are probably completely undetectable from the application processor and its Android/iOS/whatever software.

> I hope this is the start of a much larger exploration of proactive SIMs from around the world.

Reply


@kylehotchkiss 13 days

Replying to @mperham 🎙

This type of stuff makes keeping phone in a faraday bag carrier when not using it seem much more appealing. Pacsafe sells a nice one (or used to?) for like $40-50.

Reply


@rramadass 13 days

Replying to @mperham 🎙

Can somebody recommend a good book/paper/video/etc. on Cell/Mobile phone HW/SW/Internals and Hacking (everything other than the Application Processor and its OS i.e. Android/iOS). The only one that i am aware of is an old paper by Harald Welte named Anatomy of contemporary GSM cellphone hardware.

Reply


@aaronleather 13 days

Replying to @mperham 🎙

The TP destination number 1111340002 does not fit into any public network numbering plan. It must be a private address inside AT&T. This number does not exist in the public network. You cannot call it or text in through normal means. For a message to get delivered to that private address, it must go to a particular AT&T SMSC that knows how to route it.

Reply


@Isamu 14 days

Replying to @mperham 🎙

> SIMs can send SMS on their own using a feature called “proactive MO-SMS”

So many interesting tidbits in this article. This is what I come to HN for.

Reply


@rvnx 14 days

Replying to @mperham 🎙

I'm not sure why this would make the suspect innocent ? Couldn't it be the situation that the person was doing an update and that distracted him during driving ?

Reply


@DeathArrow 13 days

Replying to @mperham 🎙

I'm not sure that I would like the SIM to send data to anyone without me knowing it. But since both Android and iOS send user data without the user acknowledging, it might not be the biggest privacy issue.

Reply


@runnably 13 days

Replying to @mperham 🎙

This is a very well-written post! I don't know much about telecom stuff, but I didn't need to to understand this.

Reply


@lxgr 13 days

Replying to @mperham 🎙

Not wanting to downplay the security implications of the SIM OTA/SAT infrastructure at all, but I think in this case, there is also a non-nefarious explanation:

Back in the day of feature phones and early smartphones, carriers would proactively send device connectivity profiles (not sure what the technical term is) containing things like MMS and WAP configuration data to any new phone on their network.

This might just be AT&Ts way of implementing the trigger for such a system. Obviously it would be unused today (iOS and Android don't support these profiles anymore to my knowledge), but these technologies generally have a very long tail.

Reply


@desktopninja 14 days

Replying to @mperham 🎙

To me the process sounds like a regular ping and registration process. After all SMS was designed as a "ping protocol" and someone with a bright idea monetized it! #respect

Reply


About Us

site design / logo © 2021 Box Piper