Cybersecurity researchers have warned of a critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims without their knowledge just by sending an SMS.
Dublin-based firm AdaptiveMobile Security said the flaw — dubbed “Simjacker” — has been actively exploited for at least two years by a spyware vendor that works with governments to track individuals. The firm didn’t disclose the name of the company nor the individuals who may have been targeted in this way.
Given the attack works across all platforms, the vulnerability demonstrates the increasing sophistication of threat actors to undermine network security by taking advantage of obscure tecnologies.
“The attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands,” AdaptiveMobile Security said.
The researchers have responsibly disclosed the flaw to GSM association (GSMA) and SIMalliance, the governing organizations overseeing mobile operators worldwide and seeking to improve the security of mobile services.
What is S@T?
The vulnerability resides in what’s called the S@T browser, embedded on most SIM cards as part of SIM Application Toolkit (STK) widely used by GSM mobile operators across the world to provide value-added services to customers.
S@T — short for SIMalliance Toolbox Browser — is a microbrowser (aka mobile browser) designed to be used on mobile devices, especially on phones that support Wireless Application Protocol (WAP), a common standard for accessing the internet since the early 2000s.
The browser — stored as an executable application on the SIM card residing inside a GSM mobile phone — offers mobile service providers an interactive means to allow users access web applications such as email, stock prices, news, and sports headlines.
With modern mobile browsers such as Chrome, Firefox, and Safari now capable of supporting full HTML web pages, WAP — and by extension S@T — has been deemed largely obsolete.
But AdaptiveMobile said it found the S@T browser technology active on mobile operators in at least 30 countries, with a combined population of over one billion. That doesn’t automatically make everyone susceptible, as it’s very much possible that mobile operators are no longer using SIM cards containing the vulnerable S@T browser.
Disclosing that the attacks are happening on a daily basis, the researchers also said a few phone numbers had been tracked hundred times over a 7-day period, implying they were high-profile targets.
How does the attack work?
At a high level, the vulnerability works by leveraging a GSM modem — available for as cheap as $10 — to send malicious messages to handsets that still use the S@T browser functionality in order to trigger specially crafted STK commands.
Here is some comment from the GSMA. It doesn’t have data on which countries were impacted (although others likely will) pic.twitter.com/itTNAXjGAH
— Joseph Cox (@josephfcox) September 12, 2019
The SMS is not the regular kind, but another flavor called Binary SMS that’s used to deliver rich-content, such as ringtones, telephone system settings and WAP push text messages.
The device, upon receiving the SMS, blindly passes on the message to the SIM card without bothering to check its origin, following which the SIM card uses the S@T browser to execute the command — including requesting location and device information such as IMEI numbers.
“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated,” the researchers said.
While the primary attack detected involved the retrieval of mobile phone locations, the scope of Simjacker has considerably widened to “perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage.”
SIMalliance, for its part, has rolled out fresh recommendations to cellular carriers to implement additional security for S@T push messages by filtering such illegitimate binary SMSes.
As ZDNet notes, Simjacker attacks have been theorized at least since 2011. But this is the first time they have been exploited via complex techniques to enable surveillance.
“Now that this vulnerability has been revealed, we fully expect the exploit authors and other malicious actors will try to evolve these attacks into other areas,” AdaptiveMobile Security’s chief technology officer Cathal Mc Daid said.
Jessica spends 12 hours a day on the internet managing security for web assets and loves her macha tea
