A SIM Hacking Odyssey: Can a SIM hack YOU?

This talk shows our 4-year long journey of investigating SIM-originating attacks. We discovered multiple vulnerabilities across a myriad of devices ranging from phones to car chargers. The highlighted attacks include privacy leaks, corrupted memories in basebands, lockscreen bypasses and other logic bugs allowing us to control modems in unexpected ways.

Beyond these attacks, we discuss the tooling we built along the way and provide an outlook into the future research of this attack surface.

All mobile devices connected to contemporary cellular networks must contain a SIM card, be it a removable plastic card, or an embedded SIM (eSIM). Mobile device vendors, and users of these devices, seldom question the trust put into the SIM card and the physical interface they plug into. The result is an interface with an ever-growing complexity, and an assortment of unsafe-by-design, legacy features that remained from the early-days when they may have been useful for delivering certain carrier services to under-powered “dumb” devices.

In this presentation, we describe our chronological exploration of various aspects of the SIM-ME (mobile equipment) interface. While earlier work already demonstrated the potential dangers of this attack surface, we found tooling and public information on the topic to be sparse, motivating us to dive deep into the topic.

To reduce the barrier of entry, we developed open-source research tooling, beginning with SIMurai. The framework combines a smart card emulation framework with a SIM emulator built on top of it, and allows us to explore the attack surface without the need of physical (research) SIMs. We integrated SIMurai with baseband firmware emulation to enable fuzz testing, which led us to the discovery of three vulnerabilities. We were also able to reimplement existing attacks such as SIMJacker-style location stealing. Extending the insights gained from emulation, we also explored the facilities available to hostile SIM applets and malicious SIM interposers.

Most recently, we developed CATana to explore the RUN AT proactive command, i.e., a specification-defined feature to allow SIM cards to issue AT commands directly to the ME. An exploration of phones and IoT modems revealed that despite little legitimate use cases, running AT commands provided by the SIM is supported on various devices. To highlight the threats posed by this interface, we developed a range of attacks. To gauge how these attacks would look in production, when victim devices are connected to real cellular networks, we extend our existing frameworks with interposing capabilities.

Lastly, we look into the future of SIM-originating attacks with our SIMcurity project. We actively develop new tooling, such as SIMuscope, and provide an outlook on the new research directions we want to enable. Overall, we hope to encourage members of the community to take part in exploring and securing this ubiquitous technology.