[akersten]

Why in the world is this API surface even available, and why aren't Google / Apple / handset manufacturers scrambling to patch this?

[rocqua]

I guess it is available to the baseband, not the actual iser facing OS.

[zenexer]

Google and Apple can't do anything to mitigate this.

Edit: The following is incorrect. SIM cards are self-contained computers. Among other things, they're responsible for encrypting and decrypting communications between your phone and your carrier. This means that a SIM card will see the contents of a message before your OS or other hardware in your phone does. These exploits should work just as well against "dumb" phones as smartphones because they're not attacking the actual phones.

This API exists because SIM cards are self-contained computers; they need a way to communicate with everything else.

[0b0001]

That's not the case. SIM cards hold the permanent key for authentication and perform key derivation. Mobile data doesn't pass the SIM card; it does not perform the encryption and decryption.

[zenexer]

Good point--I tend to forget that. The rather vague article seems to indicate the actual SMS content is being sent to the SIM, though. Why is that?

[opless]

Dumb/feature phones saved SMS messages to the SIM card as simple cards have a limited amount of memory that is dedicated to a crude phonebook and SMS store. Smartphones and smarter feature phones (can) use their own storage for that. You could disable/enable the phonebook/save to SIM features on feature phones and early smartphones.

(I'm talking about win CE and symbian phones being early smartphones here)

[GMLOOKO]

A