Roaming Report – Part 4 – When the SIM card talks to the Internet

Here’s a quick follow-up to my recent blog post on using an eSIM when roaming in the US: After I installed the eSIM, I noticed with my trace tools that whenever my smartphone connected to an LTE network, the phone would, in addition to the LTE PDU session for Internet connectivity, request another PDU session with another APN (Access Point Name). This was not configured anywhere in the device. The PDU session just lived for a few seconds and was then terminated again. I was a bit puzzled at first but soon had a suspect… the SIM card.

To see if there was any merit to this thought, I dug a little bit deeper and had a look at the data that was exchanged over that PDU session: After a DNS request for a domain name, an https TLS v1.2 session to port 8443 of a server on the Internet was established, and around 8 kb of data was exchanged. The domain name pretty much suggests that this exchange of traffic was initiated by the SIM card.

So how can a program running on the SIM card communicate with a server on the Internet? Well easy, it could use the ‘Open Channel’, Close Channel’ and ‘Send / Receive Data’ commands that were specified decades ago in the SIM Application Toolkit (SAT) specification. See chapter 6.4.27 and following in ETSI TS 102 223 for details. Although I have no final proof, I think this is what was used. Very interesting to see that this feature is (still) used in practice today.

Note that SAT does not only apply to eSIM, it’s a general protocol that was used in the past for many many things. Here’s an example from way back then.