13 September 2019

An ongoing ‘SimJacker’ surveillance attack puts at risk over 1B mobile phone users


An ongoing ‘SimJacker’ surveillance attack puts at risk over 1B mobile phone users

Cybersecurity researchers revealed the existence of a new and previously undisclosed vulnerability in SIM cards that for at least the last two years is being abused in real attacks to track and monitor individuals.

Dubbed "SimJacker," the attack works by sending an SMS with a specific type of spyware-like code to a mobile phone, which then instructs the SIM Card (UICC) within the phone to ‘take over’ the mobile device to retrieve and perform sensitive commands, according to AdaptiveMobile Security report.

The vulnerability affects a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that, despite not being updated since 2009, is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

"We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards," the researchers said.

The attack begins with an attacker sending an SMS (AdaptiveMobile Security uses the term Simjacker ‘Attack Message’) using a smartphone, a GSM Modem or a SMS sending account connected to an A2P account that contains a series of hidden SIM Toolkit (STK) instructions that are supported by a device's S@T Browser. Both STK instructions and S@T Browser software can be used to trigger actions on a device, such as launching browsers, playing sounds, sending short massages and so on.

“Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset,” AdaptiveMobile team explained.

The SimJacker code running on the UICC requests location and specific device information (the IMEI) from the handset and then sends retrieved information to a remote phone controlled by the attacker via another SMS message. The most interesting part is that the user is completely unaware about "SimJacker" attack is happening, as there is no indication of the “Data Message SMS” in any SMS inbox or outbox.

The researchers said that they have seen “phone numbers from several countries being targeted by these attacks” and believe that “individuals in other countries have also been targeted via Simjacker attacks.” While the experts didn’t name the threat actor behind these attacks, they said that they are “quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals”.

Researchers have responsibly disclosed details of the SimJacker vulnerability to the GSM Association, the trade body representing the mobile operator community, as well as the SIM alliance that represents the main SIM Card/UICC manufacturers.

SIM alliance has acknowledged the issue and provided new security recommendations for the S@T Browser technology.

"The Simjacker exploit represent a huge, nearly Stuxnet-like, leap in complexity from previous SMS or SS7/Diameter attacks, and show us that the range and possibility of attacks on core networks are more complex than we could have imagined in the past," the researchers warned.

Back to the list

Latest Posts

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020