nsr
Merlin ChlostaOur #usenix2024 paper "SIMurai: Slicing Through the Complexity of SIM Card Security Research" just went public!
We asked ourselves: What kind of attacks could a hostile SIM launch against your phone?
SIM cards can, for instance, ask your phone to open TCP channels, send SMS, or retrieve location information without user interaction.
To explore the attack surface we developed SIMurai, a research-focused SIM emulator, which can be plugged to physical and emulated phones alike.
We also verified operationality of SIMurai by connecting it to 18 different phones and attaching to cellular networks (2G/4G/5G).
Using SIMurai, we found two high-severity vulnerabilities, potentially allowing attackers to get code execution on a baseband.
But are hostile SIM cards a realistic threat model? To answer this, we provide two case studies: (a) a SIM spyware remotely provisioned by a rogue operator, and (b) triggering the found vulnerabilities via a modified SIM interposer, inserted by an attacker with physical access.
Curious to learn more? Come visit our USENIX talk on Thursday afternoon (Session: Wireless Security I: Cellular and Bluetooth).
- Paper: https://usenix.org/conference/usenixsecurity24/presentation/lisowski
- PDF: https://www.usenix.org/system/files/usenixsecurity24-lisowski.pdf
- Code: https://github.com/tomasz-lisowski/simurai
- Artifact: https://github.com/tomasz-lisowski/simurai-usenixsec2024-ae
Great collaboration with Tomasz, Jinjin and Marius!
LaF0rge@merlinchlosta did you know you can actually buy an 2FF/3FF/4FF packaged eUICC *with a built-in mitm-proxy uC* between the eUICC and the contact pads? That way you can install any operators eSIM profile into the card, use it like a regular SIM in any device and "own" all the communication without a clumsy interposer :)
yawnboxlink to paper? :)
stefan@merlinchlosta is this the same for physical SIM cards and e-SIMs?