A subscriber identity module or subscriber identification module (SIM) is a small plastic card, which is mounted on the back of the phone. The SIM plays a role of identification by providing a user authentication, and it also securely stores personal information such as a short message service (SMS) and contacts, device-specific data, and key files needed for registering mobile networks. Recently, with Android’s growing popularity, it has begun to draw the attention of new attacks. As a result, the service providers began to use Universal Subscriber Identity Module (USIM) as a hardware-based security device, which securely stores important data such as certificates, credit cards, transportation cards, and so on. Therefore, the data inside USIM is known to be secure against attacks rather than a normal application because only authorized applications can access the data. For that reason, USIM has become crucial for the service providers to maintain the security of their services.
This thesis investigates security mechanisms associated with USIM wholistically in the current Android smartphone, starting from the USIM upto Android Applications. More specifically, we looked at 1) USIM itself, 2) devise-specific USIM framework that connects USIM and operator-specific framework, 3) operator-specific framework that sits between device-specific framework and Android applications. We first investigated the security problems of the communication process between USIM and a system framework on Android. And, we analyzed entities communicating with USIM and the framework for each layer, and also analyzed data, which are transferred during the communication. As a result, we found several vulnerabilities associated with USIM service an adversary has access to. Due to the inappropriate implementation of the device and operator’s USIM framework, we could send arbitrary commands to the USIM without proper permission. This can be accomplished by using an Android application or a modem, which is registered when connecting a mobile device to a personal computer.
By using this vulnerability, an adversary can perform all of USIM related operations including reading data such as SMSs, contacts, mobile device information, network context, and even accessing applets that store certificates and transportation cards. Furthermore, we investigated the fundamental problems of the vulnerabilities, which can be occurred in major manufacturers and operators. Based on these problems, we demonstrated that the attacks against USIM are feasible in the real world environment. Finally, we suggested mitigations in each layer, which can prevent all types of USIM related attacks.