Until now, I’m sure you all might have heard of the SimJacker vulnerability disclosed exactly a month ago that affects a wide range of SIM cards and can remotely be exploited to hack into any mobile phone just by sending a specially crafted binary SMS.
If you are unaware, the name “SimJacker” has been given to a class of vulnerabilities that resides due to a lack of authentication and proprietary security mechanisms implemented by dynamic SIM toolkits that come embedded in modern SIM cards.
Out of many, two such widely used SIM toolkits — S@T Browser technology and Wireless Internet Browser (WIB) — have yet been found vulnerable to SimJacker attacks, details of which we have provided in our previous articles published last month.
At that time, a few experts in the telecom industry confirmed that the SimJacker related weaknesses were internally known to many for years, and even researchers also revealed that an unnamed surveillance company has been exploiting the flaw in the wild to spy on its targets.
Cybersecurity researchers at Adaptive Mobile Security have now released a new report, revealing more details about the SimJacker attacks and trying to address some important unanswered questions, like the number of affected operators and countries, along with details on attacks spotted in the wild.
1 – List of Affected Countries
Though the researchers did not name the affected mobile operators to prevent attackers from taking advantage of the disclosed vulnerability, they did reveal the names of countries where the vulnerable SIMs are still in use.
According to the report, the list includes 29 affected countries across five continents, where customers of a total of 61 mobile operators are actively using vulnerable SIMs with S@T Browser toolkit:
- North America: Mexico, Guatemala, Honduras, Costa Rica, Nicaragua, Belize, El Salvador, Dominican Republic, and Panama.
- South America: Peru, Colombia, Brazil, Ecuador, Chile, Argentina, Uruguay, and Paraguay.
- Africa: Nigeria, Ghana, Benin, Ivory Coast, and Cameroon.
- Europe: Italy, Bulgaria, and Cyprus.
- Asia: Saudi Arabia, Iraq, Palestine and Lebanon.
“The most probable, conservative estimate is that mid to high hundreds of millions of SIM Cards globally are affected,” the researchers said.
On the other hand, there are only 8 mobile operators in 7 countries who are actively using the vulnerable WIB toolkit on their SIM Cards. These countries are spread across Eastern Europe, Central America, Asia, and West Africa.
2- SimJacker Attacks in the Wild
According to the researchers, an unnamed surveillance company—active from at least 2015 and known for targeting users from multiple countries over the SS7 network—has been exploiting the SimJacker vulnerability to gather intelligence on its targets.
It all started when researchers detected unusual and suspicious SMS events in the last quarter of 2018, and when actively monitored, they recorded nearly 25,000 Simjacker messages attempted to be sent to 1500 unique mobile devices in a period of 30 days.
The primary targets were Mexican mobile users, while a small number of attacks were also observed against mobile phone subscribers from Colombia and Peru, with an aim to obtain both location Information and unique IMEI identifiers.
“We believe that prior to the discovery, they would have successfully tracked the location of many thousands of mobile subscribers over months and probably years,” the researchers said.
“We also observed the attacker experiment over time with new potential forms of attack using the vulnerability. The number, scale, and sophistication of modifications of the attack are significantly beyond what we have witnessed from any attacker over mobile networks.”
Researchers observed over 860 Simjacker attack sub-variants in the actual SMS Packet that were sent from at least 70 attacker-controlled mobile numbers.
Besides this, researchers also observed that the attackers were attempting to use dedicated SS7 attacks against some users in case SimJacker attacks failed.
3. How to Prevent Yourself from SimJacker Attacks
Unfortunately, there is no simple way for mobile subscribers to know whether a vulnerable SIM browser toolkit is deployed on their SIM card or not.
Though there are apps available, like SnoopSnitch, that you can download from Google Play Store to detect attacks based on suspicious binary SMS, it requires your Android device to be rooted and even knowing that won’t help you much.
That’s because, as a potential victim, there’s very little you can do to protect yourself, except wait for your mobile operator to implement security measures or simply migrate your phone number to a different safe network, if available, which will provide you with a new SIM card.
Meanwhile, GSM Association (GSMA), a trade body that represents the interests of mobile operators worldwide, has provided some of the best ways to prevent and block these attacks to protect billions of mobile phone users worldwide.
In addition, the SIMalliance has also made some updates to its S@T browser specifications to improve the security of the SIM toolkits, and provided recommendations for SIM card manufacturers to implement security for S@T push messages.
4. A team of security researchers has detailed a second SMS-based attack that can allow malicious actors to track users’ devices by abusing little-known apps that are running on SIM cards.
This new attack, named WIBattack, is identical to Simjacker, an attack disclosed at the start of the month by mobile security firm AdaptiveMobile.
Both attacks work in the same way, and they grant access to similar commands, with the exception that they target different apps running on the SIM cards.
Mainly, Simjacker runs commands against the S@T Browser app, while WIBattack sends commands to the Wireless Internet Browser (WIB) app.
Both are Java applets that mobile telcos install on SIM cards they provide to their customers. The purpose of these apps is to allow remote management for customer devices and their mobile subscriptions.
In a report released earlier this month, AdaptiveMobile said it discovered that a “private company that works with governments” was using rogue commands sent to S@T Browser apps running on SIM cards to track individuals.
In a report published last weekend, security researchers from Ginno Security Labs said that the WIB app was also vulnerable to similar attacks, although they were not aware of any attacks.
In the case of both S@T and WIB apps, attackers can send a specially formatted binary SMS (called an OTA SMS) that will execute STK (SIM Toolkit) instructions on SIM cards on which telcos did not enable special security features.
The commands supported on the WIB app are about the same ones supported by the S@T Browser, which are:
- Get location data
- Start call
- Send SMS
- Send SS requests
- Send USSD requests
- Launch internet browser with a specific URL
- Display text on the device
- Play a tone
Just like the Simjacker attack, Ginno Security Labs researchers say this attack vector can also be abused to track users. If used by a skilled attacker, they can allow a threat actor to track a victim’s location or start phone calls and listen to nearby conversations.
Researchers said they discovered the WIBattack back in 2015 when they also found the Simjacker attack (which they called S@Tattack) but did no go pubic with their findings.
They estimated the number of devices running SIM cards with a WIB app at “hundreds of millions.”
SCARY NUMBERS DON’T HOLD WATER
But the estimations that Simjacker and WIBattack impact hundreds of millions of SIM cards may not be accurate, according to a report ZDNet received this week from SRLabs.
The first is a desktop app that users can install and test their SIM cards for security flaws. The second is an Android app that runs on rooted devices with Qualcomm chipsets and which can test smartphones for various SIM, mobile network, and OS security flaws.
Researchers used telemetry from both apps to investigate the breadth of the Simjacker and WIBattack vulnerabilities.
In total, they received data from 800 SIM card tests via the SIMTest app, from all over the world. The results revealed that most mobile telcos don’t ship the S@T and WIB applets anymore.
- 9.4% of the tested SIMs have the S@T applet installed
- A subset of 5.6% are vulnerable to Simjacker, because their protection level was set to zero
- 10.7% have the WIB applet installed
- A subset of 3.5% are vulnerable to a Simjacker-style attack against the WIB applet
- In total, 9.1% of tested SIM cards were vulnerable to attacks against either S@T or WIB
Furthermore, data from more than 500,000 SnoopSnitch users revealed that only a very small number of users received OTA SMS messages, like the ones needed to exploit Simjacker and WIBattack.
- We received reports from 8 users about 29 OTA SMS targeting the S@T applet
- The first message was reported in 2016
- Most of the messages targeted users in Latin and South America
These results mean that most users today are safe from these threats, which confirms private conversations that this reporter had with mobile security experts, who said that only a handful of mobile providers across the world ship SIM cards with the two apps, mostly located in the MENA, Eastern Europe, and Latin America regions.
NOT A DANGEROUS ATTACK, WHEN COMPARED TO OTHERS
Users who are curious to see if their phones’ SIM card runs the S@T or WIB apps can install and run the SIMTest app.
But even if the two SIM card apps are installed, the SRLabs team said it does not automatically mean the SIM card is vulnerable. To be vulnerable and exploitable, attackers would need to have the ability to send OTA SMS messages to the two apps, something that telcos can block by enabling security features on the two SIM card apps.
Unless S@T and WIB have a minimum security level (MSL) index of 0, the innate security feature present in the two apps should prevent random strangers from sending binary OTA SMS messages that trigger hidden command executions.
Karsten Nohl, a security researcher with SRLabs, also called for calm in an interview with ZDNet this week.
“In the context of mobile network hacks, Simjacker would appear less attractive to criminals than SS7 attacks or social engineering such as SIM swapping,” he said.
“While SS7 hacks and SIM swaps are reported in large numbers, Simjacker attacks seem to appear only anecdotally in comparison.”
In other words, you’re more vulnerable to your mobile telco’s employees assiginign your phone number to a hacker, rather than being bombarded with shady OTA SMS messages.