SIM Card Security Testing

Master the art of SIM card security testing with comprehensive attack vectors, exploitation techniques, and defense strategies for mobile telecommunications.

Smart Card Security

Hardware Analysis

OTA Security

Cryptographic Attacks

Attack Vectors

Exploits

Testing Phases

15+

Security Tools

SIM Card Security Overview

Subscriber Identity Module (SIM) cards serve as the cornerstone of mobile network authentication, housing critical subscriber identity information, authentication keys, and network-specific applications. As secure elements engineered to safeguard cryptographic secrets, SIM cards implement sophisticated security mechanisms, yet they remain susceptible to both physical and logical attack vectors.

Understanding SIM card security is paramount in today's mobile-centric world, as these diminutive devices establish the root of trust in mobile networks. Compromising SIM security can precipitate severe consequences including identity theft, call interception, SMS manipulation, and unauthorized network access.

Security Landscape Evolution

Modern SIM cards have evolved from simple authentication tokens to sophisticated computing platforms running Java applications, managing multiple network profiles, and supporting advanced cryptographic algorithms. This evolution has expanded both capabilities and attack surfaces.

Critical Vulnerabilities

Legacy COMP128v1 algorithm weaknesses enabling key extraction
Insecure Over-the-Air (OTA) update mechanisms
Vulnerable SIM Toolkit applications and S@T browsers
Side-channel attacks on cryptographic implementations

Modern Protections

MILENAGE and TUAK authentication algorithms
Enhanced OTA security with proper key management
Hardware security modules and secure elements
Application isolation and sandboxing

SIM Card Architecture & Components

Hardware Components

Secure Microcontroller

8-bit or 32-bit processor with cryptographic coprocessors

EEPROM/Flash Memory

Non-volatile storage for applications and data (32KB-1MB)

RAM

Volatile memory for runtime operations (1-8KB)

I/O Interface

ISO 7816 contact interface or NFC contactless

Software Stack

Operating System

Proprietary OS with security features and access controls

File System

Hierarchical structure with access control lists

SIM Toolkit

Framework for value-added services and applications

Cryptographic Libraries

Authentication algorithms and encryption functions

Comprehensive view of SIM card architecture showing hardware components, software layers, and security controls

SIM Card Attack Vectors

COMP128v1 Cryptographic Attacks

Exploiting weaknesses in the legacy COMP128v1 authentication algorithm to extract the secret Ki key

Critical

Attack Methodology

Obtain physical access to the target SIM card
Use a smart card reader to interface with the SIM
Send carefully crafted RAND challenges to exploit algorithm weaknesses
Analyze the SRES responses to extract Ki key bits
Reconstruct the complete 128-bit Ki authentication key
Use extracted Ki to clone the SIM card

Technical Requirements

Hardware

• Smart card reader (PC/SC compatible)
• SIM card adapter
• Computer with card reader software

Software

• COMP128 attack tools (SIMspider, Kraken)
• Smart card libraries (pyscard, PCSC)
• Custom exploitation scripts

Vulnerability Status

COMP128v1 is deprecated and should not be used in modern SIM cards. However, legacy cards may still be vulnerable. COMP128v2, COMP128v3, and MILENAGE provide better security.

Exploitation Techniques & Tools

SIMjacker Exploitation

Exploiting S@T Browser functionality through binary SMS messages

High Complexity

Remote Access

Impact Assessment

Remote surveillance, location tracking, SMS interception, and device manipulation without user awareness

Detection Indicators

Unexpected SMS activity from the device
Unusual network data usage patterns
Battery drain from background activities
Unexplained location requests or browser launches

COMP128v1 Key Extraction

Extracting the secret Ki key from SIM cards using COMP128v1 algorithm weaknesses

Medium Complexity

Physical Access

Impact Assessment

Complete compromise of SIM authentication, enabling SIM cloning and unauthorized network access

Detection Indicators

Multiple simultaneous network registrations with the same IMSI
Calls or SMS received without the device ringing
Unexpected location updates in network logs
Unusual authentication patterns in network monitoring

OTA Security Bypass

Exploiting weak Over-the-Air update mechanisms to manipulate SIM data

High Complexity

Remote Access

Impact Assessment

Remote modification of SIM data, installation of malicious applications, and unauthorized access to subscriber information

Detection Indicators

Unexpected SIM Toolkit application appearances
Changes in network registration behavior
Unusual binary SMS traffic to the device
Unauthorized modifications to SIM configuration

WIB Application Exploitation

Targeting the Wireless Internet Browser application on SIM cards

High Complexity

Remote Access

Impact Assessment

Remote execution of commands, browser manipulation, and unauthorized access to device functions

Detection Indicators

Unexpected browser launches
Unusual SMS activity
Battery drain from background activities
Suspicious network connections initiated by SIM

COMP128v1 SIM Card Ki Extraction

Exploits weaknesses in the COMP128v1 algorithm to extract the Ki secret key from a SIM card.

Medium Complexity

Physical access to the SIM card and a smart card reader

Impact Assessment

This exploit allows an attacker with physical access to a SIM card to extract the secret Ki key, which can then be used to clone the SIM card, intercept calls and SMS, or perform other identity theft.

Detection Indicators

Physical access to SIM card required
Multiple authentication attempts in short succession
Same IMSI active in multiple locations simultaneously after exploitation

SIMjacker Exploitation Tool

Demonstrates the SIMjacker attack which exploits the S@T Browser on SIM cards to perform unauthorized operations.

High Complexity

Ability to send SMS messages to the target and a GSM modem or SMS gateway

Impact Assessment

This exploit allows attackers to perform various unauthorized operations on vulnerable SIM cards, including location tracking, sending SMS messages without user knowledge, and executing USSD codes.

Detection Indicators

Unusual binary SMS messages containing S@T Browser commands
Unexpected device behavior after receiving SMS
Suspicious SMS activities in network logs

SIM Card Side-Channel Power Analysis

Extracts cryptographic keys from SIM cards by analyzing power consumption patterns during cryptographic operations.

High Complexity

Physical access to the SIM card and specialized power analysis equipment

Impact Assessment

This sophisticated attack can extract cryptographic keys from SIM cards without leaving evidence of tampering, enabling SIM cloning and complete compromise of mobile communications.

Detection Indicators

Physical access to the SIM card required
Specialized hardware equipment needed (power analysis setup)
No direct network-observable indicators as the attack is purely physical

SIM Swapping Social Engineering Attack

Uses social engineering to convince mobile carrier employees to transfer a victim's phone number to an attacker-controlled SIM card.

High Complexity

Information about the victim and ability to contact their mobile carrier

Impact Assessment

SIM swapping allows attackers to take over a victim's phone number, intercept SMS-based two-factor authentication, and gain unauthorized access to email, financial, cryptocurrency, and social media accounts.

Detection Indicators

Sudden loss of cellular service on the victim's device
Unexpected 'SIM card changed' or 'phone number transferred' notifications
Unauthorized account access alerts
Password reset emails not initiated by the victim

SIM Card Fault Injection Attack

Uses precisely timed voltage glitches to disrupt SIM card operations and bypass security controls.

High Complexity

Physical access to the SIM card and specialized fault injection equipment

Impact Assessment

Fault injection can bypass PIN verification, access protected files, extract sensitive data, and manipulate SIM card security controls, potentially leading to complete compromise of the SIM card.

Detection Indicators

Physical access to the SIM card required
Specialized fault injection equipment needed
Potential SIM card malfunction after repeated glitching attempts
No direct network-observable indicators as the attack is purely physical

eSIM Profile Hijacking

Exploits vulnerabilities in the Remote SIM Provisioning (RSP) process to hijack eSIM profiles.

High Complexity

Network access and ability to intercept eSIM provisioning traffic

Impact Assessment

eSIM profile hijacking allows attackers to clone a victim's mobile identity without physical access to their device, enabling call/SMS interception, account takeovers, and bypassing SMS-based authentication.

Detection Indicators

Unexpected profile download or deletion notifications
Loss of mobile service on the victim's device
Multiple devices using the same mobile identity simultaneously
Unusual activity in eSIM management portals

SIM Security Testing Methodology

Testing Phases

15+

Security Tools

50+

Test Cases

Physical Analysis

Examining the physical characteristics and security features of SIM cards.

Testing Techniques

Visual inspection and photography
Side-channel analysis preparation
Chip decapsulation (invasive testing)
Interface probing

Required Tools

Digital microscope

Decapsulation equipment

Probe station

Electrical Interface Testing

Testing the SIM card's electrical interfaces for vulnerabilities.

Testing Techniques

Smart card interface fuzzing
Clock and voltage glitching
Power analysis
Fault injection

Required Tools

ChipWhisperer

Smart card reader

Logic analyzer

Power trace analyzer

Protocol-Level Testing

Testing the communication protocols and authentication mechanisms.

Testing Techniques

APDU command fuzzing
Authentication algorithm analysis
OTA (Over-the-Air) security testing
SIM Toolkit application testing

Required Tools

Osmocom SIMtrace

pySim

SIM Toolkit testing suite

RainbowCrack

Cryptographic Analysis

Analyzing and testing the cryptographic implementations.

Testing Techniques

Cryptographic algorithm identification
Key extraction attempts
Authentication vector analysis
Known vulnerability testing (COMP128, etc.)

Required Tools

Kraken (A5/1 cracking)

SIMspider

Rainbow tables

Custom cryptanalysis scripts

Defense Strategies & Best Practices

Preventive Measures

Algorithm Upgrades:
Replace COMP128v1 with MILENAGE or TUAK
OTA Security:
Implement strong OTA authentication and encryption
Application Control:
Disable unnecessary SIM Toolkit applications

Detection & Monitoring

Network Monitoring:
Monitor for suspicious binary SMS patterns
Anomaly Detection:
Track unusual SIM Toolkit activity
Behavioral Analysis:
Analyze device location and usage patterns

Security Implementation Roadmap

Step-by-step approach to improving SIM security

Assessment & Inventory

Audit existing SIM cards and identify vulnerable algorithms

Algorithm Migration

Upgrade to secure authentication algorithms

OTA Hardening

Implement secure OTA update mechanisms

Monitoring Deployment

Deploy security monitoring and detection systems

SIM Security Testing Tools

Hardware Tools

• Smart card readers (PC/SC compatible)
• SIM card adapters and programmers
• Logic analyzers for interface monitoring
• Oscilloscopes for side-channel analysis

Software Tools

• pySim - SIM card management toolkit
• SIMtrace - SIM protocol analyzer
• Kraken - A5/1 cryptanalysis tool
• SIMspider - COMP128 attack tool

Network Tools

• SMS gateways for OTA testing
• Binary SMS analyzers
• Network protocol analyzers
• SIM Toolkit testing frameworks

Master SIM Security Testing

Take your mobile security skills to the next level with our comprehensive SIM security resources

Expert-Level Content

Hands-On Labs

Real-World Scenarios

Share this article

Table of Contents