As time passes, we’re witnessing more exploits building upon the usage of sim cards including the ever-famous sim swapping method.
To add to these, just recently, AdaptiveMobile Security had released details of a previously undiscovered exploit dubbing it as SimJacking.
How it apparently works is illustrated very simply with the help of a diagram below, however, there’s more to its intricacies.
Example of how Simjacker vulnerability can track mobile phone location of vulnerable subscribers – Image from AdaptiveMobile.
As seen, the attacker sends an SMS containing a specific kind of spyware to the phone of the victim which extracts location data and then sends it back to the attacker.
Cathal from AdaptiveMobile Security offers a deeper look,
“This Simjacker Attack Message, sent from another handset, a GSM Modem or an SMS sending account connected to an A2P account, contains a series of SIM Toolkit (STK) instructions, and is specifically crafted to be passed on to the UICC/eUICC (SIM Card) within the device.”
“In order for these instructions to work, the attack exploits the presence of a particular piece of software, called the S@T Browser – that is on the UICC. Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset,” researchers noted.
“For the main attack observed, the Simjacker code running on the UICC requests location and specific device information (the IMEI) from the handset. Once this information is retrieved, the Simjacker code running on the UICC then collates it and sends the combined information to a recipient number via another SMS (we call this the ‘Data Message’), again by triggering logic on the handset. This Data Message is the method by which the location and IMEI information can be exfiltrated to a remote phone controlled by the attacker.”
Moreover, amidst all of this, worrisome is the fact that the victim is not even notified of any message. Nothing appears in your inbox, stealthy as it can get.
The technology being exploited is the S@T Browser software which is installed on sim cards. Even though it is quite old and has been replaced by others, its use still goes on by certain mobile phone operators which is why the exploit has the potential to compromise over 1 billion phones in 30 countries.
ACTIVE SIMJACKER ATTACKS DETECTED
Because AdaptiveMobile has not shared the name of the company performing these attacks, it is unclear if this vulnerability is being used to track criminals or terrorists, or abused to track dissidents, journalists, or political opponents.
Nevertheless, AdaptiveMobile said Simjacker attacks are happening on a daily basis, in large numbers.
In most cases, phone numbers are tracked a few times a day, for long periods, rather than multiple times per day.
However, researchers said that a few phone numbers had been tracked hundred times over a 7-day period, suggesting they belonged to high-value targets.
“These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time,” AdaptiveMobile researchers said.
Image from AdaptiveMobile
As mentioned above these attacks are being used for location retrieval, however, by modifying the attack message, numerous other commands can be performed which include but are not limited to launching the browser, sending short messages, turning off the sim card and setting up calls.
Image from AdaptiveMobile
The team at AdaptiveMobile believes that the exploit was initiated by a private company in conjunction with governments to conduct surveillance.
However, this is not confirmed as concrete evidence is yet to come to light. What we can learn from this is that we need to make sure our telecom operators are taking sufficient security measures before being a part of their network.
This particular case is a testimony to the fact that gone are the days when only mobile phone manufacturers needed to be on the guard against hackers.
If you’re in doubt, it’s a good idea to call up your operator and verify the technology being used on your sim card, if it happens to be S@T, wisdom would suggest immediately replacing your sim card.
SIMJACKER IS THE RESULT OF IMPROVEMENTS TO MOBILE NETWORKS
The mystery remains about who developed this attack, but AdaptiveMobile said the private company was an expert in the field.
“As well as producing this spyware, this same company also have extensive access to the SS7 and Diameter core network, as we have seen some of the same Simjacker victims being targeted using attacks over the SS7 network as well, with SS7 attack methods being used as a fall-back method when Simjacker attacks do not succeed,” AdaptiveMobile said.
“We believe that the Simjacker attack evolved as a direct replacement for the abilities that were lost to mobile network attackers when operators started to secure their SS7 and Diameter infrastructure,” researchers said.
However, while attacks on the SS7 and Diameter protocols involved deep knowledge of mobile networking protocols and expensive gear, the Simjacker attack is far simpler and cheaper. All it takes is a $10 GSM modem and a victim’s phone, researchers said.
ANCIENT PROTOCOL
The vulnerability at the heart of the Simjacker attack should have been easily prevented if mobile operators would have shown some restraint into what code they put on their SIM cards.
“This S@T Browser software is not well known, is quite old, and its initial purpose was to enable services such as getting your account balance through the SIM card,” researchers said.
“Globally, its function has been mostly superseded by other technologies, and its specification has not been updated since 2009, however, like many legacy technologies it is still been used while remaining in the background.”
AdaptiveMobile said it has seen the S@T Browser technology active on the network of mobile operators in at least 30 countries around the globe.
These countries, researchers said, have a cumulative population of over one billion, all of whom are exposed to this silent surveillance method. According to a source who spoke with ZDNet, the impacted countries are in the MENA (Middle East North Africa) region, and a few in Asia and Eastern Europe.
Furthermore, the S@T Browser technology supports more than the commands abused by the attackers — namely those to retrieve location data and IMEI codes, and send an SMS message.
Other S@T Browser supported commands include the ability to make calls, power off SIM cards, run AT modem commands, open browsers (with phishing links or on sites with exploit code), and more.
AdaptiveMobile warns that this technology and this attack could be useful for more than just surveillance, and other threat actors could soon abuse it as well. For example, Simjacker could also be used for misinformation campaigns (for sending SMS/MMS messages with fake content), financial fraud (dialing premium numbers), espionage (initiating call and listening on nearby conversations), and sabotage (by disabling a target’s SIM card), among many others.
In fact, the Simjacker attacks aren’t actually new. It’s just that a threat actor found a way to weaponize STK instructions. They’ve been known, at least at the theoretical level, since 2011, when Romanian security researcher Bogdan Alecu first described how a malicious actor could abuse STK commands to subscribe users to premium numbers [1, 2].
The AdaptiveMobile research team will be discussing and presenting more on the Simjacker attacks and their findings at the VirusBulletin 2019 security conference that is going to be held in London, in October, this year.