Generally speaking, the SIM interacts using both "proactive commands" (e.g. "send an SMS to this number) and event downloads (think "whenever the base station identifier changes, please let me know").
Thanks! Out of these, the following seem most concerning/abusable:
* "setting up a voice call to a number held by the UICC" - effectively allows turning the phone into a bug (although not a very stealthy one, since presumably the normal call UI would be shown).
* requesting the terminal to launch the browser corresponding to a URL - triggering exploits
* providing local information from the terminal to the UICC; -- depends on what exactly the card can request, doesn't look like much except location which is discussed below
* running an AT command -- depends on the AT commands available, but I don't expect anything ground breaking
* requesting the terminal to start an application on the terminal -- depends on what exactly can be triggered (e.g. if it can trigger an app install it'd be extremely concerning, already installed apps less so), but I think it's only launching or listing already installed carrier apps.
* requesting the terminal to report geographical location information to the UICC -- fine grained tracking. This is the most concerning for me, and I wonder how/if Android shows when/if that happens (or if it is allowed). I also wonder if this can be used even when the phone is in airplane mode (to collect data and upload it later).
The geographic location seems to be only network-based (i.e. this doesn't poll the phone for GPS data, but only accesses data available to the baseband).
Hopefully, the following requirement also covers flight mode implementations:
> Where location information or
Network Measurement Results has been requested and no service is currently available, then the ME shall return TERMINAL RESPONSE (ME currently unable to process command - no service).
If both are the case, then this does not leak more to the network than it could just determine itself from signalling data. In any case, as many things in these specifications, it leaves quite a lot of wiggle room for implementation mistakes, genuine and otherwise.
As a historical note, there was a quite famous implementation of SIM-based positioning in Germany: One GSM provider implemented a "home zone" feature entirely on the SIM, by populating it with a database of cells that qualify for "home use"; this was then used to bill the landline rate rather than the (at the time quite expensive) mobile rate for outgoing calls.
