Dec 7, 2009

SIM security and GSM security

In the old days the SIM was there to control access to the GSM network. A GSM 11.11 compliant handset would forward an authentication request from the network to the SIM by issuing RUN_GSM_ALGORITHM command. And that was it. The threat landscape was clear (unauthenticated access to the network) and security of the solution relied entirely on the security of the SIM.

The SIM application toolkit complicates things, however. A GSM 11.14 compliant handset implements a complex protocol which involves polling multiple Java Card applets and message passing from and to the network and the GUI. If the handset correctly implements this protocol then SIM applets have a trusted interface to the user during so-called proactive SIM sessions. This means, for example that an application on the handset (a MIDlet, say) cannot interfere with the GUI during such sessions. (GSM 11.14 doesn't actually say that, but other ETSI standards such as ETSI 102 206 seem to rely on this.)

Some weeks ago a worm targeting jailbroken iPhones was discovered. The iPhone (besides being a lot of other things) is a GSM handset which implements GSM 11.14 at some level. Big question is: is a jailbroken iPhone still a GSM 11.14 compliant hand set?

With smart phone operating systems becoming more open (and users demanding control over them) this is getting more interesting. Perhaps a hypervised approach is the solution. In any case, it's not as simple as it used to be.