Security analysis of USIM application toolkit and USIM-based authentication system

Abstract

USIM cards are used in GSM, 3G, LTE based mobile network and can be used to support secure authentication mechanism. USIM cards are smartcards, and they can run applet on the card based on USIM application toolkit. While most commercial USIM cards block installation of arbitrary applet by user, some of insecure USIM cards allow third party applet to be installed. Using USIM toolkit application, attacker can eavesdrop radio-related activities, like call information and SMS transmission. Due to the nature of smartcard, USIM card provides strict access control and secure storage. This secure storage can store sensitive information, like PKI certificates. For example, Estonia provides USIM-based PKI certificate system called Mobile ID, which started service in 2007. A Korean operator started this service in April 2013, with different implementation of certificate management application. In this paper, we present USIM application toolkit based malware (in short, USIMkit) and security analysis of Korean USIM-based PKI certificate (KCert). USIMkit is not detectable by mobile operating system, and both installation and removal requires special process. Our tool ShadyUSIM is a USIM application installer based on ShadySIM, using 3GPP API directly. Our analysis showed that there are some security problems in Korean USIM-based KCert, which leaks private key, KCert during certificate installation, and USIM secure storage password during certificate usage. We also implement a small malware that steals abovementioned information from user`s mobile phone.\footnote{The material on this paper was notified to the developer and network operator, and some problems mentioned in this paper are fixed.