Cybersecurity researchers today revealed the existence of a new and
previously undetected critical vulnerability in SIM cards that could
allow remote attackers to compromise targeted mobile phones and spy on
victims just by sending an SMS.
Dubbed “SimJacker,” the vulnerability resides in a particular piece of software, called the S@T Browser, a dynamic SIM toolkit that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which device a victim uses.
What’s worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.
S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.
Since S@T Browser contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.
How Does Simjacker Vulnerability Work?
Disclosed by researchers at AdaptiveMobile Security in new research published
today, the vulnerability can be exploited to perform several tasks,
listed below, just by sending an SMS containing a specific type of
spyware-like code to a mobile phone.
- Retrieving targeted device’ location and IMEI information,
- Spreading mis-information by sending fake messages on behalf of victims,
- Performing premium-rate scams by dialing premium-rate numbers,
- Spying on victims’ surroundings by instructing the device to call the attacker’s phone number,
- Spreading malware by forcing victim’s phone browser to open a malicious web page,
- Performing denial of service attacks by disabling the SIM card, and
- Retrieving other information like language, radio type, battery level, etc.
“During the attack, the user is completely unaware that they received
the attack, that information was retrieved, and that it was successfully
exfiltrated,” researchers explain.
“The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks.”
Though the technical details and proof-of-concept of the vulnerability
are yet to be disclosed, the researchers said they had observed
real-attacks against users with devices from nearly every manufacturer,
including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT
devices with SIM cards.
According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.
Simjacker Vulnerability Being Exploited in the Wild
Researchers says, the Simjacker attack worked so well and was being
successfully exploited for years “because it took advantage of a
combination of complex interfaces and obscure technologies, showing that
mobile operators cannot rely on standard established defences.”
“Simjacker represents a clear danger to the mobile operators and subscribers. This is potentially the most sophisticated attack ever seen over core mobile networks,” said Cathal McDaid, CTO, AdaptiveMobile Security.
“It’s a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators, and impacts the national security of entire countries.”
Moreover, now that this vulnerability has publicly been revealed, the researchers expect hackers and other malicious actors will try to “evolve these attacks into other areas.”