Pierluigi Paganini September 12, 2019

SimJacker is a critical vulnerability in SIM cards that could be exploited by remote attackers to compromise any phones just by sending an SMS.

Cybersecurity researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in at least 30 countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

The scary part of the story is that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

“AdaptiveMobile Security have uncovered a new and previously undetected vulnerability and associated exploits, called Simjacker. This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals.” states a post published by AdaptiveMobile.

The S@T Browser application is installed on multiple SIM cards, including eSIM, as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send, call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

• Retrieve targeted device’ location and IMEI information,
• Spread mis-information by sending fake messages on behalf of victims,
• Perform premium-rate scams by dialing premium-rate numbers,
• Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
• Spread malware by forcing victim’s phone browser to open a malicious web page,
• Perform denial of service attacks by disabling the SIM card, and
• Retrieve other information like language, radio type, battery level, etc.

The experts explained that the attack is transparent for the users, the targets are not able to notice any anomaly.

“The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.” continues the post.

“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated,”

The experts revealed that they observed SimJacker attacks against users with most popular mobile devices manufactured by Apple, Google, Huawei, Motorola, and Samsung.

According to the researchers, almost any mobile phone model is vulnerable to the SimJacker attack because it leverages a component on SIM cards and its specifications are the same since 2009.

“The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.” states the post.

The researchers plan to disclose technical details of the attack at the VB2019 London conference, in October 2019.

“Simjacker represents a clear danger to the mobile operators and subscribers. This is potentially the most sophisticated attack ever seen over core mobile networks,” said Cathal McDaid, CTO, AdaptiveMobile Security in a press release. “Simjacker worked so well and was being successfully exploited for years because it took advantage of a combination of complex interfaces and obscure technologies, showing that mobile operators cannot rely on standard established defences. Now that this vulnerability has been revealed, we fully expect the exploit authors and other malicious actors will try to evolve these attacks into other areas”.

“It’s a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators, and impacts the national security of entire countries.”

Security experts believe that the public disclosure of the SimJacker attack could allow threat actors to use it in operations and there is the concrete risk that that can also evolve this technique.

The experts reported their discovery to the GSM Association and the SIM alliance, the latter published a list recommendations for SIM card manufacturers. The SIMalliance recommends implementing security for S@T push messages.

Mobile operators can also mitigate the attack by analyzing and blocking suspicious messages that contain S@T Browser commands.

Pierluigi Paganini

(SecurityAffairs – SimJacker, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]