Proactive SIM Cards – your phone is calling without your knowledge

A SIM (Subscriber Identity Module), which is capable of issuing commands to the handset/terminal.

A Proactive SIM card is a SIM card that’s capable of issuing commands to the cell phone automatically when certain conditions are met. Because these commands can be issued directly to the Baseband Processor it can happen invisibly and bypass the entire operating system of the phone.

This is important because it means that no matter what OS your phone is running – IOS, Android or even a custom OS or firmware – the SIM commands will be executed quietly and transparently. Your OS, the part of the phone your interact with, never has any knowledge that these commands were executed and, more importantly, has no control over them. There’s no piece of software and no custom OS setting that you can use to monitor or stop the commands issued by a Proactive SIM card.

A high level understanding of cell phone architecture

If that seems hard to understand, think of your phone as being layered like a cake. The Baseband Processor is the old cell technology that actually controls the cell phone’s radio. It’s what enables communication between the phone and the cell towers. This Baseband Processor is a mature technology that’s been continually refined since the 1970s.

When smartphones became a thing in the early 2000s and became mainstream with the iPhone in 2007, the engineers decided that it was wiser to keep the Baseband Processor in its existing state and build the smartphone’s computer (known as the application processor) on top of the Baseband Processor allowing the two to talk to each other but not combining them. All future smartphones followed this model so all the Android and iOS technology is contained inside the application processor of a smartphone.

So, with that understanding, we can see there are three major segments of a cell phone that can all talk to each other – the SIM card, the Baseband Processor and the Application Processor. That knowledge brings us back around to the idea of a Proactive SIM – a SIM card that issues commands directly to the Baseband Processor, bypassing the Application Processor entirely and thus cutting out the Android or iOS ecosystem completely.

And yes, Virginia, the SIM card is programmable and works like a mini-computer in it’s own right just like the baseband processor and the application processor. Obviously SIM cards can also communicate with the application processor but that’s not what we’re concerned with since that can be monitored and controlled by the OS you’re running. If you’re a turbo-nerd, bless your heart, check out the GSM Technical Specification from 1997 here for details on programming SIM cards.

What can a Proactive SIM do?

All kinds of things! Unfortunately there’s not a lot of public information available. A 2012 Defcon presentation discussed the existence of SIM applets and examined some potential use cases but didn’t present any exploits nor did they discuss any privacy-infringing use cases. Instead the talk mostly focused on the interactions of the SIM card with the application processor. It’s worthwhile to run through the slideshow to get a better understanding of how SIMs work but what we’re interested in is what David Allen Burgess published in July 2021.

In a nutshell, a SIM card can transmit any data it collects quietly back to the carrier (or government or anyone else) without the user’s knowledge. SIM cards keep no logs of the information sent so it’s impossible to know what was sent and when without the cooperation of the receiving organization.

The typical “baseline” information sent seems to be the IMEISV of the current phone, the IMEISV of the phone that previously hosted the SIM, the currently connected cell tower and the identity of the SIM card itself. These transmissions seems to be sent whenever the firmware of the Baseband Processor is updated (due to the IMESV changing) and when the SIM card is inserted into a phone.

The immediate implications of this are that carriers can build a “chain of custody” by knowing every phone that a SIM card was ever inserted into and when that SIM card was inserted. Thus forever tying together in a database that the owner of the SIM card, the SIM card and the various phones the SIM card was inserted in are related. Furthermore, if you’re swapping SIM cards in the same phone they can identify that those SIM cards are now related.

Furthermore, because IMEISV numbers function in a similar manner to VINs and are tracked as such, even an anonymous SIM card can be comprised by tying it back to a particular phone via the IMEISV and finding where, when and who purchased the phone.

Privacy breach mitigation

Mitigating this privacy breach in an ideal way means finding a way to communicate with devices that don’t use SIM cards and don’t have a Baseband Processor. Perhaps that means tooling up an iPod Touch or an Android Tablet where the only privacy breach vectors are in the application processor.

References