Data Modems and SIM Card Communication

 Posted on March 5, 2024  |  brian

Yet another PoC from my to do list: Which data passes through the SIM card on a data modem? The specific question was, whether the APN credentials where passed to the SIM and could be intercepted with a SIMTrace. This post gives a quick overview on how to use a SIMTrace2 to create a PCAP trace.

Modem

The modem is a cheapish EXVIST 4G LTE Dongle W/EC25-E Mini PCIe SIM Card Slot Modem LTE FDD B1/B3/B5/B7/B8/B20 with USB-C. It comes up with four USB Ports, which enumerate from /dev/ttyUSB0 to /dev/ttyUSB3. For me /dev/ttyUSB3 did the job.

wvdial

On the client side I chose to use wvdial with the following config.

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Modem Type = Analog Modem
ISDN = 0
New PPPD = yes
Modem = /dev/ttyUSB3
Baud = 9600

[Dialer privlab]
Init3 = AT+CGDCONT=1,"IP","apn01.privlab.xyz"
Stupid Mode = 1
Phone = *99***1#
Username = secretusername
Password = secretpassword
Baud = 9600

wvdial privlab then initiates the connection.

SIMTrace2

The SIMTrace is flashed with the trace firmware . On the host side I’m running simtrace2-sniff, which both prints the packets from and to the SIM and forwards them to Loopback, port 4729/UDP in GSM SIM format.

Physical Setup

The following picture shows the setup. The SIM card is placed in the SIMTrace2, which in return is connected to the SIM card slot in the Modem.

Physical Setup

Running it

wvdial says

--> WvDial: Internet dialer version 1.61
--> Initializing modem.
--> Sending: ATZ
ATZ
OK
--> Sending: ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
OK
--> Sending: AT+CGDCONT=1,"IP","apn01.privlab.xyz"
AT+CGDCONT=1,"IP","apn01.privlab.xyz"
OK
--> Modem initialized.
--> Sending: ATDT*99***1#
--> Waiting for carrier.
ATDT*99***1#
CONNECT 150000000
--> Carrier detected.  Starting PPP immediately.
--> Starting pppd at Tue Mar  5 17:58:27 2024
--> Pid of pppd: 3314171
--> Using interface ppp0
--> local  IP address 10.10.11.1
--> remote IP address 10.64.64.64
--> primary   DNS address 192.168.122.45

Which gives us a stable PDP context. The PCAP file can be downloaded here .

The Answer

No! :) The APN credentials are only required by the modem itself when establishing the PDP context. AT+CGDCONT=<cid>[,<PDP_type>[,<APN>[,<PDP_addr>[,<data_comp>[,<head_comp>]]]]] is the command used here to control the modem. Actually our SIM card in the above example is pretty passive, as the network does not use any encryption, and we thus don’t even see a key exchange.