lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CADbNDXHAZ_gj7tBVTC_iZjmMAfDFJzjGxLHim8KXpywwWzOOkA@mail.gmail.com>
Date: Fri, 4 Oct 2024 12:42:06 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: fulldisclosure@...lists.org
Subject: [FD] Some SIM / USIM card security (and ecosystem) info

Hello All,

Those interested in SIM / USIM card security might find some
information at our spin-off project page dedicated to the topic
potentially useful:

https://security-explorations.com/sim-usim-cards.html

We share there some information based on the experiences gained in the
SIM / USIM card security space, all in a hope this leads to the
increase of public awareness on the topic, change perspective on the
SIM / USIM card industry and potentially trigger some positive changes
(such as introduce transparency in vulnerability handling processes in
particular).

The page includes the following (among others):
- some guidelines for 3rd parties sharing similar security concerns
about SIM cards security as we do (rationale for checking things /
demanding infromation from vendors),
- notes summarizing key areas for in-depth security investigation,
which may be perceived in terms of a TODO / CHECK list for independent
security evaluators (labs), researchers, MNOs or product security
teams,
- the impact of a discloisure of 2019 flaws affecting some real-life
3G cards [1][2].

Finally, there is some info on "security through obscurity"
implemented by the industry (such as no sale policy to security
companies), which should serve as a warning sign for all concerned
parties (GOVs and MNOs in particular).

Thank you.

Best Regards,
Adam Gowdiak

----------------------------------
Security Explorations -
AG Security Research Lab
https://security-explorations.com
----------------------------------

References
[1] SE-2019-01-GEMALTO, Issues #19 and #33
    https://security-explorations.com/materials/SE-2019-01-GEMALTO.pdf
[2] SE-2019-01-GEMALTO-2, Issue #34
    https://security-explorations.com/materials/SE-2019-01-GEMALTO-2.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists