Researchers at AdaptiveMobile Security, a firm that specializes in cyber telecoms security, have disclosed a new SIM card attack method that could work against over 1 billion mobile phones, and they claim it has already been exploited by a surveillance company to track users.
Dubbed Simjacker, the attack consists of sending the targeted phone with a specially created SMS message. The message includes directions from a SIM toolkit (STK), and is processed by the SIM card or UICC, specifically the S@T Browser on the SIM.
An attacker could use this technique to send a variety of STK instructions to the targeted computer, including to play a voice, send SMS messages, make phone calls, collect device information (location, IMEI, battery, language), start the web browser, power the card off, request geographical location, and display data.
These orders can enable the attacker to monitor the locations of a user, to send arbitrary emails on behalf of the victim, spy on customers, and malware by telling the device’s internet browser to access a malicious website, which could lead to denial-of-service (DoS) conditions.
According to AdaptiveMobile Security, for at least 2 years a unnamed firm that helps governments monitor people has used the Simjacker technique to track users. The safety company claims it has observed this monitoring company tracking hundreds of individuals in a single nation.
In several nations, the spying firm has targeted consumers, sometimes exploiting weaknesses of the SS7 protocol to attain its objectives if the attack fails.
The attack by Simjacker is feasible because of S@T Browser, a legacy software initially conceived for services that needed SIM card interactions (e.g. bank account check balance via the SIM). Although the technology has not been updated in the previous century and is no longer necessary, many SIM cards still have it.
AdaptiveMobile Security has recognized mobile operators in more than 30 nations that supply this technology with SIM cards. The scientists think that up to 1 billion phones can be susceptible as the Simjacker attack operates independently of their maker. The attack was tested on Apple, Google, Huawei, Samsung, Motorola and ZTE telephones and even IoT devices using SIM cards.
It should be noted that while some of the instructions do not require user interaction, such as the place of a device, and no visual proof for the attack is available, others, such as a call, involve some user-interaction on mobile devices.
“We believe that the Simjacker attack evolved as a direct replacement for the abilities that were lost to mobile network attackers when operators started to secure their SS7 and Diameter infrastructure,” AdaptiveMobile explained. “But whereas successful SS7 attacks required specific SS7 knowledge (and access), the Simjacker Attack Message require a much broader range of specific SMS , SIM Card, Handset, Sim Toolkit , S@T Browser and SS7 knowledge to craft.”
The company added, “This investment has clearly paid off for the attackers, as they ended up with a method to control any mobile phone in a certain country, all with only a $10 GSM Modem and a target phone number. In short, the advent of Simjacker means that attackers of mobile operators have invested heavily in new attack techniques, and this new investment and skillset means we should expect more of these kinds of complex attacks.”
AdaptiveMobile says that it works with the mobile network customer operators to block attacks and both GSM Association (representing the mobile operators community) and SIMalliance (representing SIM card manufacturers) have notified of the threat.