Since iOS doesn't run Java applets, would all iPhones be safe from this? Or does this mean SIM cards run some form of JVM and can be infected regardless of the phone OS?
The latter. A SIM chip is a microprocessor with it's own OS. Many SIMs today run a version of the JVM that has been stripped down and retooled for the more constrained environment on the smart card (see http://en.wikipedia.org/wiki/Java_Card).
However, I would be very surprised if a phone bought in the last 5 years was susceptible to this attack. I used to work for one of the leading providers of SIM chips and almost all of our product was using 3DES or AES, and that was several years ago.
I've seen freshly built networks about 5 years ago that had no encryption or authentication what-so-ever on their SIM cards. Anybody could "brick" any SIM with an OTA command to overwrite the IMSI file, or intercept SMSes by overwriting the SMS service center address, etc.
SIM vendor didn't want to install crypto keys for free, network operator didn't understand the importance...
1. Use a USB SIM card reader to see the contents of the standard files on your SIM to see if encryption is enabled.
2. Use a SIM-OTA system to send a command and see if it works. For example, overwrite your Service Provider Name (SPN) file with "Foobar", reboot your phone, and see if you now see this name instead of "AT&T" (or whatever).
3. Build your own SIM OTA system and do the above. This is easy. You just need a way to send SMS with the OTA bit set: e.g. a USB GSM modem on a network that allows it or an internet SMS gateway that allows it.
I built a commercial SIM-OTA platform about 6-7 years ago that's sold by a big OEM. This was interesting: SIM card vendors really don't like the idea of network operators being able to independently do stuff with the SIMs they buy.
