Updated: On September 27, a few researchers from the Security Research Labs (SRLabs) released five key research findings based on the extent of Simjacker and how one can understand whether is SIM is vulnerable to such an exploit.
Yesterday, Adaptive Mobile Security made a breakthrough announcement revealing a new vulnerability which the firm calls Simjacker has been used by attackers to spy over mobile phones.
Researchers at Adaptive Mobile Security believe the vulnerability has been exploited for at least the last 2 years “by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance.” They further added that the Simjacker vulnerability “is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. It represents a considerable escalation in the skillset and abilities of attackers seeking to exploit mobile networks.”
How Simjacker attack works and why it is a grave threat
In the Simjacker attack, an SMS that contains a specific spyware-like code is sent to a victim’s mobile phone. This SMS when received, instructs the UICC (SIM Card) within the phone to ‘take over’ the mobile phone, in order to retrieve and perform sensitive commands.
“During the attack, the user is completely unaware that they received the SMS with the Simjacker Attack message, that information was retrieved, and that it was sent outwards in the Data Message SMS – there is no indication in any SMS inbox or outbox,” the researchers mention on their official blog post.
Source: Adaptive Mobile Security
The Simjacker attack relies on the [email protected](SIMalliance Toolbox ‘pronounced as sat’) browser software as an execution environment. The [email protected] browser, an application specified by the SIMalliance, can be installed on different UICC (SIM cards), including eSIMs. The [email protected] browser software is quite old and unpopular with an initial aim to enable services such as getting your account balance through the SIM card. The software specifications have not been updated since 2009 and have been superseded by many other technologies since then.
Researchers say they have observed the “[email protected] protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards.”
Simjacker attack is a next-gen SMS attack
Simjacker attack is unique. Previous SMS malware involved sending links to malware. However, the Simjacker Attack Message carries a complete malware payload, specifically spyware with instructions for the SIM card to execute the attack.
Simjacker attack can do more than simply tracking the user’s location and user’s personal data. By modifying the attack message, the attacker could instruct the UICC to execute a range of other attacks. This is because the same method allows an attacker to have complete access to the STK command set including commands such as launch browser, send data, set up a call, and much more.
The researchers used these commands in their own tests and were successfully able to make targeted handsets open up web browsers, ring other phones, send text messages and so on. They further highlighted other purposes this attack could be used for:
- Mis-information (e.g. by sending SMS/MMS messages with attacker-controlled content)
- Fraud (e.g. by dialling premium rate numbers),
- Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
- Malware spreading (by forcing a browser to open a web page with malware located on it)
- Denial of service (e.g by disabling the SIM card)
- Information retrieval (retrieve other information like language, radio type, battery level etc.)
The researchers highlight another benefit of the Simjacker attack for the attackers: many of its attacks seem to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device.
Adaptive Mobile says behind the Simjacker attack is a “specific private company that works with governments to monitor individuals.” This company also has extensive access to the SS7 and Diameter core network.
Researchers said that in one country, roughly 100-150 specific individual phone numbers being targeted per day via Simjacker attacks. Also, a few phone numbers had been tracked a hundred times over a 7-day period, suggesting they belonged to high-value targets.
Source: Adaptive Mobile Security
The researchers added that they have been “working with our own mobile operator customers to block these attacks, and we are grateful for their assistance in helping detect this activity.” They said they have also communicated to the GSM Association – the trade body representing the mobile operator community – the existence of this vulnerability. This vulnerability has been managed through the GSMA CVD program, allowing information to be shared throughout the mobile community.
“Information was also shared to the SIM alliance, a trade body representing the main SIM Card/UICC manufacturers and they have made new security recommendations for the [email protected] Browser technology,” the researchers said.
“The Simjacker exploit represents a huge, nearly Stuxnet-like, leap in complexity from previous SMS or SS7/Diameter attacks, and show us that the range and possibility of attacks on core networks are more complex than we could have imagined in the past,” the blog mentions.
The Adaptive Mobile Security team will present more details about the Simjacker attack in a presentation at Virus Bulletin Conference, London, on 3rd October 2019.
In fairness this is quite a big development – I know the researcher well and he and I know Karsten well so it is unfair to burn him for great work. We all benefit from everyone's research and this is important, it breaks new ground. #peaceout
— David Rogers (@drogersuk) September 12, 2019
How Simjacker works:
-attacker sends SMS to victim
-SMS contains STK instructions
-STK instructions run on victim's SIM card [email protected] Browser
-gather location data & IMEI/cell ID data
-SIM card sends SMS to logging server
All incoming/outgoing SMS messages don't show up for the user pic.twitter.com/mIiozv0AFK
— Catalin Cimpanu (@campuscodi) September 12, 2019
To know more about the Simjacker attack in detail, read Adaptive Mobile’s official blog post.
SRLabs researchers release protection tools against Simjacker and other SIM-based attacks
On September 27, a few researchers from the Security Research Labs (SRLabs) released five key findings based on the extent of Simjacker and how one can understand whether is SIM is vulnerable to such an exploit.
The researchers have highlighted five key findings in their research report and also provided an FAQ for users to implement necessary measures. Following are the five key research findings the SRLabs researchers mention:
- Around 6% of 800 tested SIM cards in recent years were vulnerable to Simjacker
- A second, previously unreported, vulnerability affects an additional 3.5% of SIM cards
- The tool SIMtester provides a simple way to check any SIM card for both vulnerabilities (and for a range of other issues reported in 2013)
- The SnoopSnitch Android app warns users about binary SMS attacks including Simjacker since 2014. (Attack alerting requires a rooted Android phone with Qualcomm chipset.)
- A few Simjacker attacks have been reported since 2016 by the thousands of SnoopSnitch users that actively contribute data
To know about these key findings by SRLabs’ researchers in detail, read the official report.