2026-06-25 –, Track 1
This talk shows our 4-year long journey of investigating SIM-originating attacks. We discovered multiple vulnerabilities across a myriad of devices ranging from phones to car chargers. The highlighted attacks include privacy leaks, corrupted memories in basebands, lockscreen bypasses and other logic bugs allowing us to control modems in unexpected ways.
Beyond these attacks, we discuss the tooling we built along the way and provide an outlook into the future research of this attack surface.
All mobile devices connected to contemporary cellular networks must contain a SIM card, be it a removable plastic card, or an embedded SIM (eSIM). Mobile device vendors, and users of these devices, seldom question the trust put into the SIM card and the physical interface they plug into. The result is an interface with an ever-growing complexity, and an assortment of unsafe-by-design, legacy features that remained from the early-days when they may have been useful for delivering certain carrier services to under-powered “dumb” devices.
In this presentation, we describe our chronological exploration of various aspects of the SIM-ME (mobile equipment) interface. While earlier work already demonstrated the potential dangers of this attack surface, we found tooling and public information on the topic to be sparse, motivating us to dive deep into the topic.
To reduce the barrier of entry, we developed open-source research tooling, beginning with SIMurai. The framework combines a smart card emulation framework with a SIM emulator built on top of it, and allows us to explore the attack surface without the need of physical (research) SIMs. We integrated SIMurai with baseband firmware emulation to enable fuzz testing, which led us to the discovery of three vulnerabilities. We were also able to reimplement existing attacks such as SIMJacker-style location stealing. Extending the insights gained from emulation, we also explored the facilities available to hostile SIM applets and malicious SIM interposers.
Most recently, we developed CATana to explore the RUN AT proactive command, i.e., a specification-defined feature to allow SIM cards to issue AT commands directly to the ME. An exploration of phones and IoT modems revealed that despite little legitimate use cases, running AT commands provided by the SIM is supported on various devices. To highlight the threats posed by this interface, we developed a range of attacks. To gauge how these attacks would look in production, when victim devices are connected to real cellular networks, we extend our existing frameworks with interposing capabilities.
Lastly, we look into the future of SIM-originating attacks with our SIMcurity project. We actively develop new tooling, such as SIMuscope, and provide an outlook on the new research directions we want to enable. Overall, we hope to encourage members of the community to take part in exploring and securing this ubiquitous technology.
Tomasz Lisowski is a PhD student at the University of Birmingham who is actively exploring the security of cellular technologies, in particular, SIM cards. This resulted in an ever-growing range of open-source tools, demos, and experiments involving SIM cards and the cellular devices they are connected to.
Dr.Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as a postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands.
Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, DEFCON, Reverse.io, REcon, and Hardwear.io.