Curious to learn more? Come visit our USENIX talk on Thursday afternoon (Session: Wireless Security I: Cellular and Bluetooth).

- Paper: https://usenix.org/conference/usenixsecurity24/presentation/lisowski
- PDF: https://www.usenix.org/system/files/usenixsecurity24-lisowski.pdf

- Code: https://github.com/tomasz-lisowski/simurai
- Artifact: https://github.com/tomasz-lisowski/simurai-usenixsec2024-ae

Great collaboration with Tomasz, Jinjin and Marius!

Using SIMurai, we found two high-severity vulnerabilities, potentially allowing attackers to get code execution on a baseband.

But are hostile SIM cards a realistic threat model? To answer this, we provide two case studies: (a) a SIM spyware remotely provisioned by a rogue operator, and (b) triggering the found vulnerabilities via a modified SIM interposer, inserted by an attacker with physical access.

SIM cards can, for instance, ask your phone to open TCP channels, send SMS, or retrieve location information without user interaction.

To explore the attack surface we developed SIMurai, a research-focused SIM emulator, which can be plugged to physical and emulated phones alike.