This page is a spin-off of our Java Card security project.
We have been researching security of SIM / USIM cards since 2016 (follow up of NSA hack information). In 2019, we published information about several security issues of which some affected real-life SIM / USIM cards. Our research was however mostly downplayed or ignored by vendors upon reporting. This was regardless of:
Nevertheless, we haven’t stopped researching SIM / USIM cards. There has been too many indications at our end that these could be below the security level required in the field (and regardless of public claims of the major SIM / USIM card vendor which fell victim of NSA hack).
As a result we have gained a significant know-how pertaining to card internals, operation, security and resistance to local or remote compromises.
On this web page, we are to share some information based on the experiences gained in the SIM / USIM card security space, all in a hope this leads to the increase of public awareness on the topic, change perspective on the SIM / USIM card industry and potentially trigger some positive changes (such as introduce transparency in vulnerability handling processes in particular).
While no technical details / proof of concept codes of reliably exploitable, remote SIM card compromises (such as leading to full Java VM breakout, applet firewall bypass, complete read / write memory access, secret key extraction, stealth backdoor install, etc) have been discussed in the public space over the recent years (since last major publication on the topic from 2013), one cannot exclude their existence.
Vendors of key security technologies such as SIM cards have obligation to address security vulnerabiltiies / fix stuff, make sure that mobile network operators (MNOs) and their users are safe from attacks targeting their products (cards).
Not adressing of the issues / not informing customers about vulnerabilities constitutes a significant negligence (intentionally putting customers at risk), in some cases it could violate the law.
We believe it is vendors' obligation and responsibility to properly communicate and handle (address / fix) any security issues present in SIM card products.
Unfortunately, due to the nature of the SIM card ecosystem, it is impossible to verify vendors' claims with respect to security of their products. This in particular includes vulnerabilities impact, fixing status (and fix quality).
In that context, we would like to refer you to the following document we prepared that contains some guidelines for 3rd parties sharing similar security concerns about SIM cards security as we do. This especially, concerns telecom and government actors which are responsible for the privacy and security of whole societies or nations.
We recommend to request any information in writing.
In order to find out what's the standard procedure for the industry and national level organizations when it comes to the handling of SIM card vulnerabilities, we have reached out to the following organizations:
The goal was to find out if there are any obligations on SIM card vendors with respect to vulnerability handling.
The feedback received (or its lack of) indicates that SIM card vendors might be completely autonomous / out of any control when it comes to handling of security issues. This creates a potential for hiding of security issues present in SIM card products from the public, customers and/or shareholders.
Below, a snippet from the conversation around the topic of trust and certifications with a representative of a major SIM card vendor (IDEMIA) is given. It highlights some key differences in the perspective on SIM card security (security researcher vs. vendor point of view).
The following document provides information with respect to both rationale for a thorough and in-depth security investigation of SIM / USIM cards along key areas worth to focus during the process:
The areas for investigation may be perceived in terms of a TODO / CHECK list for independent security evaluators (labs), researchers, MNOs or product security teams.
We would like to analyse security and/or security related changes for the following cards:
Please, contact us if you are the MNO, are willing to provide us with card samples (with the most up to date SW version as provided by the vendor) and some or all of the following applies:
* we are aware of the phasing out of the 3G and associated technology, this is irrelevant for the case (and our goal)
On Jun 11, 2024 we issued yet another request to Smartjac company to provide access to the fixed version of the USimera Prime 3G product (the one with the most up to date / fixed version). The rationale for the request was a defective (insecure / vulnerable) product and its purchase done from Smartjac. The goal was to verify the fixing status of a vulnerability disclosed in 2019.
Smartjac response indirectly indicated (among other things) that SIM / USIM card vendor ceased all business relationship with the company as a followup of our disclosure of security flaws.
No sale policy to security companies (last question of Java Card project FAQ) along cessation of a business relationship due to disclosure of two local vulnerabilities affecting 3G cards (and without any POC codes published) should serve as a warning sign to all customers (manifestation of a "security through obscurity" approach under the umbrella of "the principle of ensuring maximum security and protection for all parties involved").
In 2021, we have reached out to Oracle with an inquiry aimed to obtain the permission / license to use Java Card Virtual Machine Specifications (versions 2.x and 3.x) for productive and commercial purposes.
This was with respect to the tool (Java / SIM card introspector) we have been developing since 2016 that needed to implement various functionality described in Java Card Virtual Machine Specification such as the following in particular:
Unsuccessful talks with Oracle has lead us to the following decisions:
In 2024, we resumed developments of Java / SIM card introspector tool with a goal to release it to the public domain.
While we have more data / documents potentially eligible for publication, these need to undergo a thorough legal review first prior to any release.
Please, contact us if you would be willing to assist us in that context and have expertise in the following areas in particular:
The following technical materials are associated with respect to the security analysis conducted for SIM / USIM cards.