A SIM card, or Subscriber Identity Module is a familiar element of a mobile phone. It can be easily swapped or replaced, yet, it was not born at the same time as the cellular phone. The first mobile phones used to support only ’embedded’ communication standards: the subscription parameters were hard-coded into the mobile terminal’s memory.
The oldest analogue standards like NMT-450 did not employ any means of security: the subscription data could be copied into another device and cloned, making it possible to call and accept calls on the rightful owner’s behalf, free of charge.
The first means of security, which was invented a bit later, was the so called Subscriber Identity Security (SIS) code — an 18-digit number which was unique to a device and hard-coded into an application processor. SIS codes used to be evenly distributed among the vendors so two devices could not share the same SIS code. The processor also stored a 7-digit RID code which was transmitted to a base station when a subscriber registered to a cellular network.
— Kaspersky Lab (@kaspersky) November 18, 2014
The base station would generate a random number, which, bundled with a unique SIS response, SIS processor would use to produce the authorization key.
Both keys and numbers were relatively short but adequate for 1994 — quite predictably, the system was later cracked, just three years before the GSM (Global System for Mobile Communications) standard emerged. It was more secure by design as it used a similar, yet more cryptically resilient authorization system. The standard thus became ‘detached.’
— Kaspersky Lab (@kaspersky) July 3, 2015
This meant that the authorization was then fully performed on an external processor integrated into a smart card. The resulting solution was called SIM. With the introduction of SIM cards, the subscription was no longer dependent on the device so a user could change devices as frequently as wished, while preserving the mobile identity.
A SIM card is basically an ISO 7816 standard smart card and has no significant difference from other contact IC-based cards, like credit cards or phonecards. The first SIM cards even had the same size as a credit card, but the overall trend of shrinking dimensions had led to a newer, more compact form.
Traditional full-size 1FF (1st Form Factor) SIM card would no longer fit into the phone, so the industry has invented a simple compatibility solution: a smaller SIM card (mini-SIM, or 2FF, or 2nd Form Factor), which is common for modern users, was placed into a 1FF-size plastic carrier, so the newer form factor confined the chip and the contact arrangements in a smaller footprint and could be easily popped out.
Although this shrinking trend continued with micro-SIM (3FF) and then nano-SIM (4FF), the shape and the contact arrangement, as well as the features of embedded chips, have remained the same for nearly 25 years. Large plastic ‘dummies’ are produced nowadays to accomodate the needs of users who still prefer really old school handsets.
With that said many now out-dated devices would not support today’s SIM cards, even if they are full-sized. It comes down to the fact that the operating voltage for earlier SIM cards was 5 V, whereas today’s cards require 3 V. Many SIM manufacturers prefer to trade compatibility for cost, so the majority of modern SIM cards won’t support two voltages. That’s why in an old 5 V only compatible phone 3 V only SIM cards would not even work due to their processor’s voltage protection.
— Kaspersky Lab (@kaspersky) April 7, 2015
While on the production line, certain information is written into the memory of a SIM card: the IMSI (International Mobile Subscriber Identity) in accordance to the carrier who ordered the batch, and a 128-bit key called Ki (Key Identification). Simply put, IMSI and Ki are the subscriber’s login and password respectively, hard-coded into the SIM card chip.
The correspondence between a subscriber’s IMSI and the phone number is stored in a special database called HLR (Home Location Register). This data is copied into another database, VLR (Visitor Location Register) in each segment of the network, based on the subscriber’s temporary ‘guest’ registration to another base station.
— Kaspersky Lab (@kaspersky) February 27, 2015
The authorization process is quite simple. When a subscriber is registered to the temporary database, VLR sends a random 128-bit number (RAND) to the phone number. The SIM card processor uses the A3 algorithm to generate a 32-bit response (SRES) to VLR, based on the RAND number and Ki. If VLR gets a matching response, the subscriber becomes registered in the network.
SIM also generates another temporary key called Kc. Its value is calculated based on above mentioned RAND and Ki with the help of the A8 algorithm. That key, in turn, is used to encrypt transmitted data by means of the A5 algorithm.
Sounds a bit complicated because of oh so many acronyms and all. But the basic idea is pretty simple: firstly you have a login and password hard-coded into the SIM, secondly you create verification and encryption keys with a couple of math tricks, and that’s it — you’re connected.
The encryption is always enabled by default, however, in certain circumstances (for instance, provided a warrant) it is switched off, making it possible for an intelligence agency to intercept phone conversations. In that case, an old-school handset displayed an open padlock, whereas modern phones (except Blackberry) never demonstrate anything of the sort.
— Kaspersky Lab (@kaspersky) November 24, 2015
There is an attack specifically designed to intercept phone conversations; in order to perform the attack, an adversary needs a device called IMSI Catcher. It emulates a base station and registers connecting phones, then forwarding all signals to a real base station.
In this case, the entire authorization process flows in the normal mode (there is no need to crack the encryption keys), but the faux base station urges the handset to transmit in a plaintext mode, so an adversary can intercept signals without the carrier’s and subscriber’s knowledge.
Funny as it seems, this ‘vulnerability’ is not a vulnerability; in fact, this feature was designed to be there from the start, so intelligence services could perform Man-In-The-Middle attacks when appropriate for the case.