Generic Overlay SIM Security Assessment

GSMA is aware that proprietary SIM solutions have been in existence for many years and these
include the slim SIM. More commonly referred to as an Overlay SIM, the solution could be
considered a disruptive technology and it has been used to support legitimate services, including the
provision of low cost roaming services, as well as more questionable uses such as unauthorised
device unlocking.
The Overlay SIM takes the form of a thin plastic sheet into which a chip is embedded that can be
placed on top of a standard SIM card within a mobile device. The Overlay SIM sits between the SIM
card and the device and has access to and full visibility of all communications taking place between
those two elements.
Although the Overlay SIM is capable of using security technologies, such as cryptographic keys, to
host and execute sensitive services and transactions, use of the technology has the potential to
introduce a range of new security risks due to its ability to observe sensitive data in transit between
the mobile device and the original SIM. The GSMAs Security Group has considered the theoretical
risks associated with the use of Overlay SIM technology in a general sense and concluded the
following:
The Overlay SIM has the potential to facilitate a man-in-the-middle attack by observing
collecting and revealing sensitive data such as PINs, encryption keys, etc. Specifically, an Overlay
SIM could pose the following risks:
o Observe, record and divulge mobile user PIN details
o Initiate, intercept, manipulate and/or block mobile communications including voice calls,
SMS, USSD, SIP calls and web sessions
o Initiate, intercept, manipulate and/or destroy SIM toolkit instructions
o Execute actions without the explicit permission or knowledge of the mobile user
o Record and disclose user location information
o Obtain unauthorised access to the SIM card and change configuration settings
The exposure of the channel between the SIM and device to eavesdropping has been in
existence for many years but there is no evidence that it has been exploited. However, the
Overlay SIM provides a tool that could be used to exploit this existing vulnerability and if widely
deployed it could be used to create a botnet that could be used to commit fraud and/or
compromise customer privacy.
The level of risk to mobile users depends on the trustworthiness of the provider and issuer of
Overlay SIMs not to exploit the vulnerability by including functionality on the Overlay SIM to
harvest and reveal sensitive data eavesdropped between the SIM and the device.
A risk also exists that, even if the Overlay SIM supplier and issuer behave responsibly, a malicious
third party could potentially download a Trojan app to the Overlay SIM to access sensitive
data.
It is important to note that in conducting this risk assessment GSMAs Security Group did not have or
consider technical details of any individual Overlay SIM implementation. The risks described above
are those considered to be theoretically applicable to poorly or maliciously designed Overlay SIM
solutions and GSMA is not suggesting that these apply to all or any specific solutions. Similarly,
GSMA is not in a position to ascertain if individual Overlay SIM implementations gather any sensitive

data and make that available to unauthorised parties or if they manipulate or compromise the
security of the existing SIM in any way. This document merely raises the possibility that these
potential risks exist and could arise.

Recommendation:
Network operators, regulators and other stakeholders should be aware of the risks that Overlay
SIMs can pose to mobile users and security sensitive services. These risks should be taken into
consideration when assessing the suitability of Overlay SIM based solutions for use in the
marketplace.
When considering the suitability of Overlay SIM based solutions for deployment GSMA recommends
that:
Promoters and suppliers of Overlay SIM solutions should provide assurances and verify that
their implementations mitigate the risks outlined in this document.
Only Overlay SIM solutions that have been independently analysed and certified as being
free from any functionality designed to undermine the security of users or issuers of original
SIMs should be deployed.
Mobile users should be advised of the potential dangers that could result from inserting
unapproved elements in their devices and they should be provided with assurances
pertaining to approved solutions.