Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Some SIM / USIM card security (and ecosystem) info

From: Security Explorations <contact () security-explorations com>
Date: Fri, 4 Oct 2024 12:42:06 +0200
Hello All,

Those interested in SIM / USIM card security might find some
information at our spin-off project page dedicated to the topic
potentially useful:

https://security-explorations.com/sim-usim-cards.html

We share there some information based on the experiences gained in the
SIM / USIM card security space, all in a hope this leads to the
increase of public awareness on the topic, change perspective on the
SIM / USIM card industry and potentially trigger some positive changes
(such as introduce transparency in vulnerability handling processes in
particular).

The page includes the following (among others):
- some guidelines for 3rd parties sharing similar security concerns
about SIM cards security as we do (rationale for checking things /
demanding infromation from vendors),
- notes summarizing key areas for in-depth security investigation,
which may be perceived in terms of a TODO / CHECK list for independent
security evaluators (labs), researchers, MNOs or product security
teams,
- the impact of a discloisure of 2019 flaws affecting some real-life
3G cards [1][2].

Finally, there is some info on "security through obscurity"
implemented by the industry (such as no sale policy to security
companies), which should serve as a warning sign for all concerned
parties (GOVs and MNOs in particular).

Thank you.

Best Regards,
Adam Gowdiak

----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------

References
[1] SE-2019-01-GEMALTO, Issues #19 and #33
    https://security-explorations.com/materials/SE-2019-01-GEMALTO.pdf
[2] SE-2019-01-GEMALTO-2, Issue #34
    https://security-explorations.com/materials/SE-2019-01-GEMALTO-2.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: