SIM Man In The Middle

I had in the past several time to sniff the traffic between a SIM card and a phone:

  • In NFC applications, SIMs are updated OTA (Over The AIr) with the CAT_TP protocol. It was necessary to inspect the traffic
  • Analyze the timing between the air traffic and the SIM traffic
  • Inspect STK (SIM Tool Kit) Proactive command sent from the SIM to the phone

I used several equipment to do those and created mine. I’ll explain in here what was the differences between those

  • Rebel SIM

    RebelSim is a basic USB sniffer. Its schematic is quite simple. It’s composed of a USB to Serial converter (FTDI ft2232) and the RXD pin is connected to the data wire of the SIM and the phone. It’s therefor necessary to configure the baud-rate of the virtual serial interface to match the one of the SIM. The main disadvantage of this solution is that at the ATR (Answer to Reset) time, the bit-rate of the SIM card is not the same as the one after ATR. since the F and D factor are described in the ATR response. So following the dialog is not that trivial, and if the phone clocks the SIM at a non standard bit-rate, the dumping would not occur.

  • Bladox

    Bladox is made of two pieces. the Turbo Lite 2, which embed an ARM processor which does the MITM between the SIM and the mobile. This one respond to the ATR and set its own ATR response. The Turbo Programmer hosts the TurboLite2 and sends the data back to the host computer using a FTDI chip. The advantage of the TurboLite2 is that the lines are isolated with optocoupler, and powered up with the phone itself. The disadvantage is that if a command is unknown, the TurboLite will not rely it back to the sim. It actually just uses the SIM card for its Telco resources (IMSI/Ki).

  • SimTrace

    SIMTrace is part of the Osmocom project. It’s articulated around an ARM proc that could cut the line between the SIM and the reader and therefor emulate the SIM on one side and the reader on the other side. the software has never been finished for doing so. It has the advantaged of being connected to the CLK (clock) pin of the SIM and be able to count in order to be correct on the time division.

