Proactive SIM: When Your SIM Does Things On Its Own Without Your Knowledge
Your SIM can make things happen without you initiating it to do something and without you knowing anything about it. Yes, it’s true because it happens. It occurs in real life, which could even lead to a tragedy.
Nano SIM card removed from its slot and an empty micro-SIM card slot
The aforementioned lawyer reached out to David Allen Burgess, a New York-based telecommunications engineer, researcher, and former signals intelligence (SIGINT) specialist.
In essence, a SIGINT specialist gathers intelligence (information) and gives intelligence support.
Burgess was the one who recounted the story in the online publishing platform Medium, which prompted him to conduct his own investigation.
According to Burgess, the lawyer’s client faces a wrongful death lawsuit, a “lawsuit brought when someone dies as a result of the defendant’s negligent or intentional act,” according to legal website Nolo.
One particular instance when a wrongful death claim can be filed, explains Nolo, is when a person dies after getting involved in a vehicular accident due to negligence on the part of the driver.
Going back, the lawyer’s client was a driver, who owned an AT&T SIM card, which Burgess guessed was issued in 2015.
The driver was being sued because the driver allegedly got distracted as he/she was likely texting while driving.
Where did that angle come from?
The number 1111340002 received a text message from the driver’s AT&T SIM card. It could therefore be presumed that the driver used his/her phone to send that text while driving.
What’s the text message sent and received?
A seemingly random message notifying that the phone allowed a software update to be installed.
The confusing part of this story?
The said text message was never composed nor sent by the driver. It was the AT&T SIM card that did it on its own – as if it has a mind of its own.
Burgess said that “some lab work and a subpoena to AT&T” shed light on this puzzle.
Burgess says that when you send a text message or SMS, it will go to two “addresses” (destination numbers): the transport layer (“TP”) destination address and the relay layer (“RP”) destination address.
The TP destination address “is the number that the user specifies,” said Burgess.
The RP destination address, “supplied by the SIM,” said Burgess, is the address of the short message service center (SMSC).
SMSC is the one responsible for storing and forwarding SMS (Short Message Service) or text messages, according to Wikipedia. Furthermore, as explained by Developer's Home, it’s the SMSC that will first receive any SMS sent. After receiving an SMS, the SMSC will forward it to the recipient number (the destination address).
The driver’s AT&T SIM card sent an SMS to 1111340002.
Burgess learned that the number 1111340002 is the TP destination address and the number +14047259800 is the RP destination address, which he described as “a normal-looking U.S. number.”
Burgess discovered that 1111340002 “does not fit into any public network numbering plan” nor does it appear in any public network. He therefore surmised that it could be “a private address inside AT&T.”
Plus, because it’s a private address, he said that one cannot send a text message to 1111340002 or call it unless “a particular AT&T SMSC” will forward the text message.
So, how come the driver’s AT&T SIM card was able to send an SMS to 1111340002?
After searching about +14047259800 online, Burgess learned that it’s associated with what he called a “service control point” of AT&T. In addition, he clarified that AT&T uses the SMSC number +14047259800 not “for normal texting” (for normal texting, AT&T uses +13123149810) but “for special applications.”
Using YateBTS and Wireshark, Burgess got hold of the “actual message content” that the driver’s AT&T SIM card sent.
When decoded, the message contains information about the following:
International Mobile Subscriber Identity (IMSI)
The SIM’s IMSI is the 15-digit number is a unique number used to identify a GSM (Global System for Mobile Communications) subscriber – the person using the SIM card, according to Techopedia.
International Mobile Equipment Identity Software Version (IMEISV)
IMEISV identifies the cellular phone (the International Mobile Equipment Identity or IMEI) and the cellular phone’s software version (the “SV” in “IMEISV”), according to imei.info.
In this case, both the IMEISV of the previous phone and the current phone, where the SIM was used/is being used, were included in the message.
Integrated Circuit Card Identification Number (ICCID)
The SIM’s ICCID, typically found on the back of a SIM card, is a serial number that “determines what cellular networks your device can access,” according to EMnify.
Burgess said that there were other bits of information sent to which, he admitted, he has “not figured out yet” what they were about.
To summarize, the message reveals information “about the SIM, about the phone, and about the phone that the SIM was previously installed in,” said Burgess. The last one seemingly being an important concern, as he wrote the entire phrase in italicized form.
Again, the driver’s AT&T SIM card – not the driver him/herself – sent all these pieces of information in the form of a text message/an SMS to 1111340002. Burgess used SIMTrace2 to verify this.
This is also the part where Burgess mentioned about “proactive MO-SMS.” Mobile-Originated Short Message Service (MO-SMS) is a feature that allows a proactive SIM to send SMS on its own.
Black smartphone face down, SIM card, and SIM card slot on black table top
To recall, the driver’s AT&T SIM card sent an SMS regarding the phone installing a software update.
Burgess said that this firmware update was “almost certainly the trigger” behind the driver’s AT&T SIM card’s text message.
Under oath, one AT&T employee confirmed this.
When the baseband processor – the phone’s main chipset, which handles telecommunications, according to French information security expert Guillaume Delugré – undergoes a firmware update, a proactive SIM will send an SMS.
Burgess likewise identified another trigger: when a SIM card gets transferred (literally, placed/inserted) from one mobile phone to another.
When the driver’s AT&T SIM card sent an SMS, one of the information included in the message was the IMEISV of the previous cellular phone as well as the current phone’s IMEISV.
When you transfer a SIM, the SIM will recognize a new IMEI (the new phone’s IMEI, that is). The new IMEI could then trigger the SIM card to send an SMS, according to Burgess.
It could be interesting to note that long before Burgess encountered the number 1111340002, a 2015 document titled “A Case Study of Mississippi State Penitentiary’s Managed Access Technology” divulged something about that number.
According to the said document submitted to the U.S. Department of Justice, the number 1111340002 is “the most commonly texted number . . . associated with automated ‘robot’ dialing” and “with a debt collection service.”
Perhaps Burgess could take a look into this report?
With AT&T SIM cards sending reports such as the one discussed by Burgess in his Medium article, he thought that if AT&T will be “transparent about it,” the better.
So far, the multibillion-dollar telecommunications giant has not issued any public statement concerning their SIM cards sending such reports, noted Burgess.
It could be normal – maybe even legal? – practice for network operators to collect information regarding phone usage (e.g., brand, location) of their customers, which Burgess assumed is what AT&T has been doing all along.