SIM / USIM cards

General info

This page is a spin-off of our Java Card security project.

Rationale for a separate project page

We have been researching security of SIM / USIM cards since 2016 (follow up of NSA hack information). In 2019, we published information about several security issues of which some affected real-life SIM / USIM cards. Our research was however mostly downplayed or ignored by vendors upon reporting. This was regardless of:

  • proving that we got quite deep in researching the cards and JavaCard VM operation
  • vendor's evaluation of security issues, which did not reflect the reality
  • Nevertheless, we haven’t stopped researching SIM / USIM cards. There has been too many indications at our end that these could be below the security level required in the field (and regardless of public claims of the major SIM / USIM card vendor which fell victim of NSA hack).

    As a result we have gained a significant know-how pertaining to card internals, operation, security and resistance to local or remote compromises.

    On this web page, we are to share some information based on the experiences gained in the SIM / USIM card security space, all in a hope this leads to the increase of public awareness on the topic, change perspective on the SIM / USIM card industry and potentially trigger some positive changes (such as introduce transparency in vulnerability handling processes in particular).

    Vendors' handling of security issues

    While no technical details / proof of concept codes of reliably exploitable, remote SIM card compromises (such as leading to full Java VM breakout, applet firewall bypass, complete read / write memory access, secret key extraction, stealth backdoor install, etc) have been discussed in the public space over the recent years (since last major publication on the topic from 2013), one cannot exclude their existence.

    Vendors of key security technologies such as SIM cards have obligation to address security vulnerabiltiies / fix stuff, make sure that mobile network operators (MNOs) and their users are safe from attacks targeting their products (cards).

    Not adressing of the issues / not informing customers about vulnerabilities constitutes a significant negligence (intentionally putting customers at risk), in some cases it could violate the law.

    The need for transparency

    We believe it is vendors' obligation and responsibility to properly communicate and handle (address / fix) any security issues present in SIM card products.

    Unfortunately, due to the nature of the SIM card ecosystem, it is impossible to verify vendors' claims with respect to security of their products. This in particular includes vulnerabilities impact, fixing status (and fix quality).

    In that context, we would like to refer you to the following document we prepared that contains some guidelines for 3rd parties sharing similar security concerns about SIM cards security as we do. This especially, concerns telecom and government actors which are responsible for the privacy and security of whole societies or nations.

    • SIM card vendors' questionnaire, PDF file, 219KB (download)

    We recommend to request any information in writing.

    Vulnerabilities handling processes

    In order to find out what's the standard procedure for the industry and national level organizations when it comes to the handling of SIM card vulnerabilities, we have reached out to the following organizations:

    • ANSSI / CERT-FR inquiry, PDF file, 649KB (download)
    • GSMA inquiry, PDF file, 584KB (download)

    The goal was to find out if there are any obligations on SIM card vendors with respect to vulnerability handling.

    The feedback received (or its lack of) indicates that SIM card vendors might be completely autonomous / out of any control when it comes to handling of security issues. This creates a potential for hiding of security issues present in SIM card products from the public, customers and/or shareholders.

    On trust and certifications

    Below, a snippet from the conversation around the topic of trust and certifications with a representative of a major SIM card vendor (IDEMIA) is given. It highlights some key differences in the perspective on SIM card security (security researcher vs. vendor point of view).

    • IDEMIA exchange, On trust and certifications, PDF file, 723KB (download)

    Areas for investigation

    The following document provides information with respect to both rationale for a thorough and in-depth security investigation of SIM / USIM cards along key areas worth to focus during the process:

    • SIM / USIM cards - areas for investigation (notes), PDF file, 650KB (download)

    The areas for investigation may be perceived in terms of a TODO / CHECK list for independent security evaluators (labs), researchers, MNOs or product security teams.

    The cards

    We would like to analyse security and/or security related changes for the following cards:

    • GemXplore 3G V3.0-256K, ATR 3b9f95801fc78031e073fe211b63e208a8830f900089 (local bug, remote bug)
    • GemXplore 3G V2.1, ATR 3b9f96801fc38031e073fe211bb3e2027e830f900082
    • GemXplore 3G V2.1_64K-PK, ATR 3b9f96801fc38031e073fe211bb3e2027e830f900082
    • GemXplore 3G V2.2-128K-PK, ATR 3b9f96801fc78031e073fe211bb3e20394830f90006d
    • 3G USIMERA Prime, ATR 3b9e96801fc78031e073fe211b66d0017a7b0e000e (local bug)
    • LinqUs 128K, ATR 3b9e96801fc78031e073fe211b66d000750209007e
    • UpTeq CSIM, ATR 3b9f97c00a1fc78031e073fe211b65d0011009228100f2

    Please, contact us if you are the MNO, are willing to provide us with card samples (with the most up to date SW version as provided by the vendor) and some or all of the following applies:

    • you have been using (or are still using*) any of the above cards in the field
    • you have not received patches for security vulnerabilities linked above
    • you are not aware of any other security vulnerabilities affecting the cards than those linked above

    * we are aware of the phasing out of the 3G and associated technology, this is irrelevant for the case (and our goal)

    The impact of a disclosure from 2019

    On Jun 11, 2024 we issued yet another request to Smartjac company to provide access to the fixed version of the USimera Prime 3G product (the one with the most up to date / fixed version). The rationale for the request was a defective (insecure / vulnerable) product and its purchase done from Smartjac. The goal was to verify the fixing status of a vulnerability disclosed in 2019.

    Smartjac response indirectly indicated (among other things) that SIM / USIM card vendor ceased all business relationship with the company as a followup of our disclosure of security flaws.

    No sale policy to security companies (last question of Java Card project FAQ) along cessation of a business relationship due to disclosure of two local vulnerabilities affecting 3G cards (and without any POC codes published) should serve as a warning sign to all customers (manifestation of a "security through obscurity" approach under the umbrella of "the principle of ensuring maximum security and protection for all parties involved").

    Licensing obstacles

    In 2021, we have reached out to Oracle with an inquiry aimed to obtain the permission / license to use Java Card Virtual Machine Specifications (versions 2.x and 3.x) for productive and commercial purposes.

    This was with respect to the tool (Java / SIM card introspector) we have been developing since 2016 that needed to implement various functionality described in Java Card Virtual Machine Specification such as the following in particular:

    • parsing and generation of Java executable code embedded in a CAP file format (Applets)
    • sending Java executable code embedded in CAP files over-the-wire and over-the-air to a smartcard
    • Java Card bytecode analysis and manipulation
    • use of Java Card APIs

    Unsuccessful talks with Oracle has lead us to the following decisions:

  • inability to assist business customers seeking for assistance / R&D work in the area of SIM / USIM and Java Card
  • switching to a non-commercial version of the tool along a decision to release it for educational / R&D purposes
  • In 2024, we resumed developments of Java / SIM card introspector tool with a goal to release it to the public domain.

    Further information

    While we have more data / documents potentially eligible for publication, these need to undergo a thorough legal review first prior to any release.

    Please, contact us if you would be willing to assist us in that context and have expertise in the following areas in particular:

    • French law
    • whistleblowing law
    • international commercial law, more specifically, in defective product liability

    Details

    The following technical materials are associated with respect to the security analysis conducted for SIM / USIM cards.

    Materials

    • "Java / SIM Card introspector"
      The Java / SIM Card introspector is a software tool that facilitates security evaluation, reverse engineering and vulnerability testing of Java based SIM / USIM cards. It implements GP functionality, application and security codes management, file system inspection / modification and SIM Toolkit applications testing among others. The tool embeds the functionality that can be used to reverse engineer and test for vulnerabilities targeting arbitrary Java based SIM / USIM cards.