Mobile Threat Catalogue

SIM Software Vulnerabilites


Threat Category: USIM / SIM / UICC security

ID: STA-21

Threat Description: Applications on the SIM card can be remotely configured by operators by sending a special class of SMS. Each application on a SIM card is configured with a corresponding minimum security level (MSL). Attackers can only exploit applications where the MSL is set to zero. An unprivileged user is normally gained through attacking a system and exploiting an unprivileged process. If an application with abuse potential is present on the SIM card, it can instruct a mobile phone to do various things, such as make a call, send an SMS, get location, prompt the user for input, establish a TCP/TLS connection, or open a browser on a specific URL.1

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

Spoofing and intercepting SIM commands through STK framework 2

CVE Examples

Possible Countermeasures


  1. Security Research Labs, New SIM attacks de-mystified, protection tools now available, blog; [accessed 12/03/2019] 

  2. A. Chaykin, “Spoofing and intercepting SIM commands through STK framework,” blog, 26 Aug. 2015;