Home
/
Blog
/

SIM Man In The Middle

This article analyzes the difference of various equipments in an experimental sniffing of the traffic between a SIM card, and a phone.

Dec 2, 2012
SIM Man In The Middle

I had in the past several time to sniff the traffic between a SIM card and a phone:

  • In NFC applications, SIMs are updated OTA (Over The AIr) with the CAT_TP protocol. It was necessary to inspect the traffic
  • Analyze the timing between the air traffic and the SIM traffic
  • Inspect STK (SIM Tool Kit) Proactive command sent from the SIM to the phone

I used several equipment to do those and created mine. I’ll explain in here what was the differences between those

Rebel SIM

RebelSim is a basic USB sniffer. Its schematic is quite simple. It’s composed of a USB to Serial converter (FTDI ft2232) and the RXD pin is connected to the data wire of the SIM and the phone. It’s therefor necessary to configure the baud-rate of the virtual serial interface to match the one of the SIM.

The main disadvantage of this solution is that at the ATR (Answer to Reset) time, the bit-rate of the SIM card is not the same as the one after ATR. since the F and D factor are described in the ATR response. So following the dialog is not that trivial, and if the phone clocks the SIM at a non standard bit-rate, the dumping would not occur.

Bladox

Bladox is made of two pieces. the Turbo Lite 2, which embed an ARM processor which does the MITM between the SIM and the mobile. This one respond to the ATR and set its own ATR response. The Turbo Programmer hosts the TurboLite2 and sends the data back to the host computer using a FTDI chip.

The advantage of the TurboLite2 is that the lines are isolated with optocoupler, and powered up with the phone itself. The disadvantage is that if a command is unknown, the TurboLite will not rely it back to the sim. It actually just uses the SIM card for its Telco resources (IMSI/Ki).

SimTrace

SIMTrace is part of the Osmocom project. It’s articulated around an ARM proc that could cut the line between the SIM and the reader and therefor emulate the SIM on one side and the reader on the other side. the software has never been finished for doing so.

It has the advantaged of being connected to the CLK (clock) pin of the SIM and be able to count in order to be correct on the time division.


Summary
Titre H2
Titre H3
Download our whitepaper

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Be informed

SS7 Attacker Heaven turns into Riot: How to make Nation-State and Intelligence Attackers’ lives much harder on mobile networks

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Towards Harmonization: Mapping EU Telecom Security Regulations and their evolution

By clicking download you confirm that you accept our terms and conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
News & investors info

Our latest news

All our news
Product news

New Press Release - P1 Security Reboots with Bold New Vision and Ambition

Press Release from P1 Security about their renewed vision and ambition for mobile network security
Learn more
Research

[Release] QC Super v2

QCSuper is a tool which enables, for research purposes, to capture the contents of radio communication exchanges between your phone's antenna and your Mobile Operator's radio network (RAN). QCSuper has enabled many telecom, mobile and security researchers to perform an analysis of the radio packets (frames) through saving these to the Packet Capture File format (PCAP, with GSMTAP encapsulation) and enabling to use the great Wireshark tool to conduct analysis and research.
Learn more
Research

5G SUPI, SUCI and ECIES

P1 Security breaks down the 3GPP definition of a subscriber’s identity protection scheme, for 5G networks.
Learn more
View all
let’s talk

We are eager to discuss your mobile network security topics. Please reach out.

Contact us
Join the team