Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.
What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.
S@T Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.
Since S@T Browser contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.
How Does Simjacker Vulnerability Work?
Disclosed by researchers at AdaptiveMobile Security in new research published today, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.
- Retrieving targeted device' location and IMEI information,
- Spreading mis-information by sending fake messages on behalf of victims,
- Performing premium-rate scams by dialing premium-rate numbers,
- Spying on victims' surroundings by instructing the device to call the attacker's phone number,
- Spreading malware by forcing victim's phone browser to open a malicious web page,
- Performing denial of service attacks by disabling the SIM card, and
- Retrieving other information like language, radio type, battery level, etc.
"During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated," researchers explain.
"The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks."
"This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute."
Though the technical details, detailed paper and proof-of-concept of the vulnerability are scheduled to be released publicly in October this year, the researchers said they had observed real-attacks against users with devices from nearly every manufacturer, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.
According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.
Simjacker Vulnerability Being Exploited in the Wild
Researchers says, the Simjacker attack worked so well and was being successfully exploited for years "because it took advantage of a combination of complex interfaces and obscure technologies, showing that mobile operators cannot rely on standard established defences."
"Simjacker represents a clear danger to the mobile operators and subscribers. This is potentially the most sophisticated attack ever seen over core mobile networks," said Cathal McDaid, CTO, AdaptiveMobile Security in a press release.
"It's a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators, and impacts the national security of entire countries."
Moreover, now that this vulnerability has publicly been revealed, the researchers expect hackers and other malicious actors will try to "evolve these attacks into other areas."
Researchers have responsibly disclosed details of this vulnerability to the GSM Association, the trade body representing the mobile operator community, as well as the SIM alliance that represents the main SIM Card/UICC manufacturers.
The SIMalliance has acknowledged the issue and provided recommendations for SIM card manufacturers to implement security for S@T push messages.
Mobile operators can also immediately mitigate this threat by setting up a process to analyze and block suspicious messages that contain S@T Browser commands.
As a potential victim, it appears, there is nothing much a mobile device user can do if they are using a SIM card with S@T Browser technology deployed on it, except requesting for a replacement of their SIM that has proprietary security mechanisms in place.