7

A SIM card can initiate some communication with a mobile device with so called "proactive commands" (chapter 6 of http://www.etsi.org/deliver/etsi_gts/11/1114/05.04.00_60/gsmts_1114v050400p.pdf). Using these commands, SIM card applet can request the OS for current system time or sending SMS to a specified number and much more.

Question:

Is there any OS protection in Android or iOS of these proactive commands? Is it possible for an attacker to create an application, which hijacks the SIM-Phone communication and provides the SIM card with incorrect data? Is there any "firewall" that ensures that the OS is the only entity allowed to communicate with SIM over proactive commands?

EDIT : I have found a patent for secure proactive commands (http://www.google.com/patents/US8744406), but I do not have a clue if some UICC vendor uses it in the real world.

UPDATE: Could I use Android Access Control Enforcer as such a firewall for Android (https://code.google.com/p/seek-for-android/wiki/AccessControlIntroduction)?

vojta
  • 356
  • 4
  • 16
  • Dear Vojta, does this question have any answer? – Ebrahim Ghasemi Feb 18 '16 at 20:43
  • 1
    @Abraham No, it doesn't. I gave up my research. I didn't make any experiments, but I am afraid proactive commands are pretty vulnerable, so I avoid using them in security applications. – vojta Feb 18 '16 at 20:50

3 Answers3

2

The OS does not communicate directly with the SIM. The SIM is connected to the baseband processor. All communication between the SIM and the OS tunnels through the baseband processor using the "AT" commands.

The SIM can also do proactive operations, like sending SMS, directly with the baseband processor without any involvement of the OS. Here is an example:

https://medium.com/telecom-expert/what-is-at-t-doing-at-1111340002-c418876c212c

This referenced article describes an AT&T SIM, a proactive SIM, that automatically sends SMS to 1111340002 under certain conditions. This was verified using OpenBTS to trace the air interface (baseband to network) and SIMTrace2 to trace the SIM/baseband interface. The application processor (and its OS) are never involved in the procedure.

These SMS show up in AT&T activity records, of the type subpoenaed in legal cases, but they (usually) do not appear on bills, and there is no record of them left in the phone or in the SIM.

Disclaimer: I am a telecom engineer, not a SIM or app developer.

  • 1
    Hi, welcome on security.SE. Could you cite in your answer the relevant findings of the blog article you site, in order for your answer to be self-sufficient and for it to remain fully informative in case the blog article becomes unavailable in the future? – A. Hersean Jul 22 '21 at 12:00
  • 1
    I have added a short summary of the relevant points of the blog post. Thanks. – David Burgess Jul 23 '21 at 09:35
1

Broadly, the design of Unix-like operating systems (in particular Linux, on which Android is based, and Mac OS X) means the OS is by design the only software entity that's allowed to communicate with the SIM. (I say 'software' because other hardware isn't quite so limited.) So I don't think this is something you need to worry about.

Or, phrased another way: yes, the 'firewall' you describe already exists. It's one of the most fundamental features of an operating system kernel.

  • 3
    Thank you for your reply, but I am not so sure. Yes, the OS is the only entity allowed to communicate with the SIM. However, any Android application can communicate with the SIM card through the SEEK api (through the OS). So the OS does not CONTROL the communication with the SIM, it just stands in the middle between applications and the SIM and it allows any application send any APDU to any applet, right? So an evil application can send a fake answer to a proactive command, I think... – vojta Apr 13 '15 at 11:37
0

There have been some reports of hacked SIM communications before, like the one explained in this DefCon presentation from 2012, but this is all very much on a basic level and so far there have not been any known exploits for as far as I can tell. That said, in this presentation they did show how you can load custom code on the SIM so it is not hard to imagine that it is entirely possible that it has been done already.

Voidpaw
  • 131
  • 4
  • 3
    They actually did not hack the SIM card, they knew the keys and they said these keys could have been easily guessed using brute force. However this is true for DES keys only and only for basic SIM cards that do not count authentication attempts. Moreover, just a few SIM cards use classic DES nowadays. My question is not about hacking the security domain of the SIM card. I need to know, if the communication between SIM card and phone using proactive commands is secure or if it can be interrupted by an evil phone application pretending to be the SIM Toolkit. – vojta May 18 '15 at 18:34