EAP-SIM on a mobile phone
Following its roll-out as a new authentication method to the WiFi community network of a major mobile operator in France in 2012, EAP-SIM has attracted quite some attention over there.
Yet the limited level of support of this technology in mobile devices available on the market has left many users struggling to get it to work effectively.
EAP-SIM is supported on the iPhone and the iPad since iOS 5 — and there are reports that it can be made to work on iOS 4.
On the other hand, it has taken Google 3 years to acknowledge and react to the lack of official EAP-SIM support on Android. After hundreds of sometimes infuriated messages, it looks like they started to work on implementing it in June 2013!
In Google’s defense, one can say that EAP-SIM can work on Android — as long as your phone manufacturer or mobile operator has implemented it in the phone’s software.
Still, it is unacceptable that Google’s Android flagship devices, the Nexus family, don’t support EAP-SIM natively.
Especially when there isn’t much work to do to implement properly.
Windows Phone 8+ and BlackBerry are reported to support EAP-SIM as far as I could gather.
EAP-SIM on a desktop computer
But this article isn’t about EAP-SIM on mobile devices. Instead it will show how to connect to a WiFi network using EAP-SIM on a desktop computer running Linux.
Hardware
The requirements are:
- a SIM card of an operator supporting EAP-SIM (e.g. Free)
- a computer with a WiFi adapter
- a SIM card reader (or “smartcard reader”)
I suppose that items 1. and 2. are already in your possession.
Regarding the SIM card reader, many models can be used, ranging from high-end devices to dirt cheap readers.
Let’s say that we want to do this experiment on a shoestring: we’ll settle on a $2 SIM card reader that is just good enough.
Go to eBay and grab one of these transparent blue SIM readers (don’t know if the other models are compatible).
This is a very low-tech smartcard reader, based on the so-called Phoenix architecture. Because of — or in spite of — this simplicity, it can be quite tricky to get it to work at times. (Or is it the OpenCT driver that is at fault?)
Wait for a couple of weeks for the little package from eBay to arrive and now you’ve got everything needed to proceed 🙂
Software
First, we’ll set up the software for the SIM card reader:
- Install the following packages (on Ubuntu):
openct pcscd pcsc-tools libpcsclite-dev libnl-dev
- Plug in the SIM reader and run dmesg to determine the associated TTY:
[85418.604327] usb 7-2: new full-speed USB device number 2 using uhci_hcd [85419.040763] USB Serial support registered for pl2303 [85419.040824] pl2303 7-2:1.0: pl2303 converter detected [85419.052517] usb 7-2: pl2303 converter now attached to ttyUSB0 [85419.052552] usbcore: registered new interface driver pl2303 [85419.052556] pl2303: Prolific PL2303 USB to serial adaptor driver
- Add this piece of configuration to /etc/openct.conf (with the right TTY device):
reader phoenix { driver = phoenix; device = serial:/dev/ttyUSB0; };
- Restart OpenCT:
/etc/init.d/openct restart
- Insert the SIM card into the reader and check that it is correctly detected by OpenCT:
root@desktop:~# openct-tool atr Detected Phoenix reader Card present, status changed ATR: 3b 9f 95 80 1f c7 80 31 e0 73 fe 21 1b 64 07 54 61 00 82 90 00 f0
- Check that it is also correctly detected by PCSC-Lite:
root@desktop:~# pcsc_scan PC/SC device scanner V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.7.4 Using reader plug'n play mechanism Scanning present readers... 0: OpenCT 00 00 Wed Aug 28 17:55:25 2013 Reader 0: OpenCT 00 00 Card state: Card inserted, ATR: 3B 9F 95 80 1F C7 80 31 E0 73 FE 21 1B 64 07 54 61 00 82 90 00 F0
At this point, you’ve confirmed that your $2 SIM reader works fine on your computer. Let’s continue to the core of the EAP-SIM set-up: the so-called “WPA supplicant”, which handles all the WiFi authentication phases.
- Download the latest release of hostapd:
user@desktop:~$ wget http://hostap.epitest.fi/releases/hostapd-2.0.tar.gz
- Extract the archive and and go the the wpa_supplicant folder:
user@desktop:wpa_supplicant$ cp defconfig .config
- Edit the newly created .config file so that it contains:
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) CONFIG_EAP_SIM=y # PC/SC interface for smartcards (USIM, GSM SIM) # Enable this if EAP-SIM or EAP-AKA is included CONFIG_PCSC=y
- Build the WPA supplicant program:
user@desktop:wpa_supplicant$ make
- Create a configuration file wpa_supplicant_eap-sim.conf, with the correct PIN number:
cred={ imsi="none" # anything but blank value } network={ ssid="FreeWifi_secure" key_mgmt=WPA-EAP IEEE8021X eap=SIM pin="1234" pcsc="" }
- Disconnect from any WiFi network, make sure that no other wpa_supplicant is running on your computer at the same time and run (wlan0 being the WiFi interface):
root@desktop:wpa_supplicant# iwconfig wlan0 essid "FreeWifi_secure" && ./wpa_supplicant -i wlan0 -c wpa_supplicant_eap-sim.conf
- On the output, you will see that it worked correctly if it says:
Successfully initialized wpa_supplicant wlan0: Trying to associate with xx:xx:xx:xx:xx:xx (SSID='FreeWifi_secure' freq=2417 MHz) wlan0: Associated with xx:xx:xx:xx:xx:xx wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started EAP: buildIdentity: identity configuration was not available wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=18 wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 18 (SIM) selected wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully wlan0: WPA: Key negotiation completed with xx:xx:xx:xx:xx:xx [PTK=CCMP GTK=TKIP] wlan0: CTRL-EVENT-CONNECTED - Connection to xx:xx:xx:xx:xx:xx completed (auth) [id=0 id_str=]
- On another terminal, run a DHCP client for the WiFi interface:
root@desktop:~# dhclient wlan0
Ta da, success!
You’re now connected to the FreeWifi_secure network, with an IP address giving access to the Internet.
Total cost: $2 for the SIM reader + €2 per month for the mobile phone subscription.