[Simsec] SIMtester: Major update to the ultimate SIM pentest tool

Karsten Nohl nohl at srlabs.de
Thu Feb 4 13:41:58 CET 2016

Dear SIM Security Community,

Some SIM cards are configured insecurely, allowing attacks via SMS. We discussed this in 2013 [1] and have since seen many networks improve their SIM card configuration. In some cases, the SIMtester tool [2] was used to spot the issues. SIMtester’s public version allowed for TAR scanning, APDU scanning, and fuzzing of SIMs.

Over the past two years, we extended SIMtester extensively based on hundreds of tested SIM cards. We are releasing today what we consider the ultimate SIM pentesting tool: SIMtester 1.8.1 [2]:


— *Configurable OTA-Response handling* You can now choose how a reply to OTA-Messages is handled. Its possible to choose between SMS-DELIVER-REPORT or SMS-SUBMIT

— *Extended OTA-Passthrough-Fuzzer* The fuzzer can try vary the OTA message parameters in order to find alternate configurations that let the message through.

— *Fuzzing with constants* Its now possible to keep the KIC, KID, SPI1, SPI2 bytes constant while fuzzing

— *File Scanner* Some cards might contain proprietary files The filescanner finds such hidden files (and standard files, too, of course)

— *APDU-Scanner* Its now also possible to scan for instructions (INS) instead of classes (CLA)

— *Multi-reader handling* Its now possible to iterate multiple card readers to gather the card info faster

— *2G Fallback* In rare cases, some cards might react problematic when the 3G APDU format is used. In case of problems the user can now decide to use the 2g APDU format only

Please send us your results (or upload directly with the -gsmmap option) if you would like us to interpret your measurements.

Happy hacking!

Your   -SRLabs mobile security team

P.S. Join us: https://srlabs.de/hiring/

[1] https://srlabs.de/rooting-sim-cards/
[2] https://opensource.srlabs.de/projects/simtester/

More information about the Simsec mailing list