SIM/eSIM Security Research

Overview

This section focuses on the security aspects of SIM cards and eSIM technology, which form the foundation of subscriber identity and authentication in mobile networks.

Research Tools & Equipment

Hardware Tools

• Proxmark3 - RFID/Smart Card Research Tool
• ChipWhisperer - Side-Channel Analysis Platform
• ReaderLab - Open Source Smart Card Reader
• SIMtrace2 - SIM Card Protocol Analyzer
• Smart Card Detective - Smart Card Testing Device

Software Tools

• pySim - Python Tool for SIM Card Management
• SIMTester - SIM Card Security Testing Suite
• Rainbow Tables - GSM A5/1 Decryption
• Osmocom SIM Tools - Open Source SIM Card Tools
• CardPeek - Smart Card Analysis Tool

eSIM Development

• Open eUICC - Open Source eSIM Implementation
• GSMA RSP Test Suite - eSIM Compliance Testing
• libeuicc - Android eSIM Library
• esim-profiles - eSIM Profile Management Tools

Research Papers & Publications

SIM Card Security

1. "Rooting SIM Cards" - Karsten Nohl, BlackHat USA 2013
2. "The Secret Life of SIM Cards" - USENIX Security 2019
3. "Practical SIM Card Attacks" - WOOT'15

eSIM Security

1. "Security Analysis of Consumer-Grade eSIM Remote Provisioning" - BlackHat USA 2020
2. "eSIM Security: Past, Present, and Future" - IEEE Communications Standards Magazine
3. "Breaking eSIM Remote Provisioning" - NDSS 2023

Side-Channel Analysis

1. "Power Analysis of SIM Cards" - CHES 2002
2. "Practical Template Attacks on SIM Cards" - CARDIS 2019

Educational Videos & Presentations

Conference Talks

1. "Hacking SIM Cards with Osmocom" - CCC 2019
2. "Breaking eSIM Remote Provisioning" - BlackHat USA 2020
3. "SIMple: SIM Card Exploitation" - DEF CON 21

Tutorial Series

1. "Introduction to SIM Card Security" - Hak5
2. "eSIM Technology Deep Dive" - GSMA Training
3. "Smart Card Programming" - JavaCard Tutorial

Research Areas

Physical SIM Security

• SIM Card Architecture

  • Smart card hardware security
  • Tamper resistance mechanisms
  • EEPROM/Flash memory security
  • Microcontroller vulnerabilities

• File System

  • MF (Master File) structure
  • DF (Dedicated File) access controls
  • EF (Elementary File) content protection
  • File access conditions and permissions

• Authentication Algorithms

  • COMP128 (versions and vulnerabilities)
  • Milenage algorithm security
  • TUAK algorithm implementation
  • K₁ encryption key storage and protection

• SIM Toolkit Applications

  • STK application vulnerabilities
  • Malicious applet detection
  • S@T Browser security
  • Java Card security boundaries

eSIM Security

• Remote Provisioning

  • SM-DP+ (Subscription Manager - Data Preparation) security
  • SM-SR (Subscription Manager - Secure Routing) vulnerabilities
  • eUICC profile download security
  • LPA (Local Profile Assistant) security

• Profile Management

  • Profile switching security
  • Multi-profile coexistence risks
  • Profile deletion verification
  • Operational security for telco profile managers

• Secure Channel Protocols

  • SCP03/SCP11 implementation
  • Certificate management
  • Key rotation practices
  • Cryptographic algorithm selection

Over-The-Air (OTA) Security

• Update Mechanisms

  • OTA update authentication
  • SMS-based OTA security
  • CAT_TP security
  • BIP (Bearer Independent Protocol) security

• Carrier Provisioning

  • Provisioning message integrity
  • SMS C-Channel security
  • Replay attack prevention
  • OTA command authorization

Known Vulnerabilities & CVEs

• SIM Card Cloning (CVE-2013-4640)
• Simjacker Vulnerability (CVE-2019-4500)
• WIB Browser Exploit (CVE-2019-4501)
• S@T Browser Attack (CVE-2019-4502)
• OTA Update Bypass (CVE-2021-XXXX)
• eSIM Profile Tampering (CVE-2022-XXXX)
• SIM Toolkit Security Issues (CVE-2020-XXXX)

Research Methodologies

Hardware Analysis

• Physical inspection techniques
• Side-channel power analysis
• Timing attack methodology
• Fault injection testing

Software Analysis

• Logical security testing
• Protocol fuzzing
• Authentication bypass testing
• File system analysis

eSIM Testing

• Profile management testing
• Remote provisioning analysis
• LPA security assessment
• Certificate validation

Practical Labs

1. SIM Card File System Analysis

   • File structure analysis
   • Access control testing
   • Data extraction techniques

2. Authentication Algorithm Testing

   • COMP128 analysis
   • Milenage testing
   • Key extraction attempts

3. SIM Toolkit Application Security

   • STK app analysis
   • Security boundary testing
   • Applet vulnerability assessment

4. OTA Security Testing Framework

   • OTA message analysis
   • Update security testing
   • SMS security assessment

5. eSIM Profile Management Security

   • Profile installation testing
   • Security boundary verification
   • Remote management assessment

Standards & Specifications

Core Standards

• ETSI TS 102 221: Smart Cards; UICC-Terminal interface
• 3GPP TS 31.102: Characteristics of the USIM Application
• 3GPP TS 31.111: USIM Application Toolkit (USAT)
• GSMA SGP.22: RSP Technical Specification

Security Guidelines

• NIST SP 800-163: Mobile App Security Requirements
• GSMA FS.04: SIM Security Guidelines
• Common Criteria: Smart Card Protection Profile

Community Resources

• SIM Security Wiki
• eSIM Working Group
• TelcoSec SIM Research Forum
• Osmocom SIM Project