SIM cards used in 29 countries are vulnerable to Simjacker attack

Security researchers at Adaptive Mobile who discovered the SimJacker issue have published the list of countries where mobile operators use flawed SIM cards.

Exactly one month ago, researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in many countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

Now Adaptive Mobile published the list of countries where local mobile operators are using SIM cards affected by the Simjacker flaw, anyway the company did not name the impacted mobile phone carriers.

“This varies by country and region. From our analysis we could identify 61 Mobile Operators (excluding MVNOs) in the 29 countries that use this technology.” reads the report. “Based on public reported information the cumulative subscriber numbers of these S@T Browser-using Operators comes to ~861 million mobile connections (SIM cards).” “Not all SIM cards in the operator may use this technology. In discussions with a few operators in the LATAM region we were informed that the majority of SIM Cards (>90%) in their network had it.”

Below the full list of countries published by the experts:

Central America:
Mexcio
Guatemala
Belize
Dominican Republic
El Salvador
Honduras
Panama
Nicaragua
Costa Rica

South America:
Brazil
Peru
Colombia
Ecuador
Chile
Argentina
Uruguay
Paraguay

Africa:
Ivory Coast
Ghana
Benin
Nigeria
Cameroon

Europe:
Italy
Bulgaria
Cyprus

Asia:
Saudi Arabia
Iraq
Lebanon
Palestine

The S@T Browser application is installed on multiple SIM cards, including eSIM, as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send, call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

• Retrieve targeted device’ location and IMEI information,
• Spread mis-information by sending fake messages on behalf of victims,
• Perform premium-rate scams by dialing premium-rate numbers,
• Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
• Spread malware by forcing victim’s phone browser to open a malicious web page,
• Perform denial of service attacks by disabling the SIM card, and
• Retrieve other information like language, radio type, battery level, etc.

On October 3rd, the experts presented their research at VB2019 conference in London and they published a technical paper on the attack. The paper shows how the flaw is being exploited by threat actors and privides technical details on technologies used in the attacks.  report.

The experts explained that the attack is transparent to the users, the targets are not able to notice any anomaly.

Adaptive Mobile revealed that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

“Within the report we outline why we think it is a surveillance company that developed this exploit.” read a FAQs page published by the experts. “However, we have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof. That proof would also reveal specific methods and information that would impact our ability to protect subscribers.”

Experts also added that the vulnerability has been likely exploited by nation-state actors for targeted attacks on persons of interests.

After the flaw was publicly disclosed, the researchers at SRLabs developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset. SRLabs researchers also updated their SIMTester app to include Simjacker.

Experts at Adaptive Mobile also analyzed the impact of the recently disclosed WIBattack and explained that it impacts a smaller number of users compared with SimJacker. Experts estimated that only 8 operators in 7 countries are using SIM cards vulnerable to the attack.

“WIB is a propriety SIM card technology like S@T which reports show could also be exploited via ‘Simjacker-like’ attacks. However, it’s important to state that we haven’t seen any attacks involving WIB.” concludes the report. “The WIB technology itself seems less prevalent that the S@T Browser (see diagram below and section 7 of the report), and available publicly information doesn’t indicate that WIB has the same apparent oversight in recommended security level.”

The following graph shows the number of Vulnerable Countries & Operators for S@T Browser and WIB.

“This has important implications for all Mobile Operators if they wish to deal with attacks from threat actors like this in the future.” concludes the report.”It means that previous ways of relying on recommendations, with no operational investigation or research won’t be enough to protect the mobile network and its subscribers, and what’s worse, will give a false sense of security.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SimJacker, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]