There’s a strong chance you’ve used the SIM toolkit, even if you don’t know it yet. Actually, you might have it on your device as you’re reading this. If that isn’t the case, you might have heard about the term from others who have. And while its name suggests that it has something to do with fixing, it rarely does. Thanks to other standards (hint: USSD), you can continue to use your device, unless it wasn’t released decades ago, without ever opening it. If that piqued your interest, let’s not tease you a moment more, and get into the answer to, “what is SIM Toolkit?”
SIM Toolkit explained
SIM Toolkit, whose full name is SIM Application Toolkit (STK), is a standard of the GSM network, allowing GSM SIM cards to initiate contact with the provider and request VAT (Value Added Service). It is pre-programmed with a list of commands that define how communication with the outside world works. Also, it works separately from the handset in the device and the active network on SIM. So, while the mobile network provider is frequently the service provider, some carriers hire third parties to maintain/provide the service.
User interface and basic functions
SIM Toolkit is designed in a single application environment for phones and makes communication on the network easier. This includes sending requests, issuing commands, displaying menus, or entering information when user input is required. The functionality makes value-based services such as checking balance, activating your SIM, voice mail, or roaming and purchasing packs (calls, texts, mobile data) possible. It also permits checking SIM phone number, phone model, SIM serial number, device ID (IMEI, ESN, MEID, etc.), changing languages, and powering the SIM card on or off.
SIM Toolkit functionality also allows for additional features such as subscription services (multimedia, news, horoscope, real-time updates), browsing online content, accessing mobile banking, to exist. Some carriers claim their Toolkit improves security through authentication and encryption. If that’s implemented, the cryptographic key and required certificates can be used to sign documents electronically (digital signature).
Limitations and privacy concern
The following are some of the limits in SIM Toolkit:
- Older versions of STK are best-suited for simple applications with basic UI.
- STK has very little multimedia support, and only supports some icons and basic pictures.
- The independent development of STK technology is very limited.
- Some phones who are incompatible with STK experience problems with network and service.
- Updates to STK are done independently of other software on the phone, which some people recognize as software for surveillance.
- SIM Toolkit starts during the power-up of the SIM card. This initially forced users to return their SIM cards for a manual update or buy a replacement SIM with an updated STK.
- In later versions of SIM Toolkits, updates can be initiated via optional features, and done OTA (over-the-air).
- Starting in 2010, carriers could deliver STK updates over secure SMS to devices that support wireless internet browser (WIB) toolkit and [email protected] Browser component.
- Vulnerabilities in [email protected] Toolkit allowed hackers to remotely take control of users’ devices by sending malicious SMS in 30+ countries via the so-called “Simjacker vulnerability” in the past.
- A researcher from Ginno Security Lab discovered in 2019 that WIB on older phones can be exploited identically to Simjacker.
Who defines the SIM Toolkit?
SIM Toolkit is defined by the GSM 11.14 standard released back in 2001 by ETSI (European Telecommunications Standards Institute). The fourth release, named 3GPP TS 31.111, delivered in 2016 by ETSI, replaced GSM 11.14 on devices that use 3G and 4G GSM networks.
Is USAT the same as SIM Toolkit?
USIM Application Toolkit (USAT) is a counterpart (equivalent) to SIM Toolkit, except for devices that use 3G and 4G networks. USAT solves the main problem with SIM toolkits. Thanks to a multi-application environment, it only activates when a specific application requests it, not at power-up like STK. This worked to quench privacy concerns and surveillance accusations on newer devices that use a SIM Toolkit app for Android.