A vulnerability recently discovered and made public by AdaptiveMobile Security allows hackers to execute sensitive commands on any kind of mobile handset by sending them instructions via SMS. Dubbed ‘Simjacker’, the vulnerability has been used in actual practice to spy on users in several countries for at least two years. Per AdaptiveMobile Security:
This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals.
The Simjacker attack abuses the SIMalliance Toolbox Browser, commonly known as S@T Browser, which is installed on some SIM cards so operators can deliver a variety of services over-the-air. This dynamic SIM toolkit is reportedly widely used on the SIM cards of mobile operators in at least 30 countries. Simjacker can be exploited irrespective of the handset that victims use.
In theory, all makes and models of mobile phone are open to attack as the vulnerability is linked to a technology embedded on SIM cards. The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.
AdaptiveMobile Security explained how the vulnerability has permitted covert surveillance of phone users.
The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands. The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated.
The core attack is illustrated by the diagram above, and involves prompting the user’s phone to send an SMS containing sensitive data to another device.
Once the Simjacker Attack Message is received by the UICC [SIM card] it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset. For the main attack observed, the Simjacker code running on the UICC requests location and specific device information (the IMEI) from the handset. Once this information is retrieved, the Simjacker code running on the UICC then collates it and sends the combined information to a recipient number via another SMS (we call this the ‘Data Message’), again by triggering logic on the handset. This Data Message is the method by which the location and IMEI information can be exfiltrated to a remote phone controlled by the attacker.
The user has no knowledge of the Simjacker exploit because no record is retained of either the incoming or outgoing SMS messages.
AdaptiveMobile Security also reported that the abuse of users extends beyond covert monitoring.
Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage. AdaptiveMobile Security Threat Intelligence analysts observed the hackers vary their attacks, testing many of these further exploits.
The details of this vulnerability have been disclosed to both the SIMalliance, the body which specified the S@T Browser, and to the GSM Association. SIMalliance has issued security recommendations for the way SIM card manufacturers deal with S@T push messages.
You can learn more about Simjacker at AdaptiveMobile Security’s Simjacker microsite.