A study by AdaptiveMobile Security identified several vulnerabilities in mobile operators' networks that may be used to locate users. The Weakness is called Simjacker because the attacks associated with it are carried out by exploiting the SIM card.
Experts say this vulnerability has been used by criminals for two years now and its purpose is to locate users.
The working scheme of the Simjacker attack is based on sending a simple SMS message to the victim. In the sent message, the hackers insert malicious code, which is similar to spyware. This scheme is not standard, because in the main case the link is sent in the form of an SMS to some malicious website and not the malicious code itself. Simjacker is the first real attack in which spyware is sent directly to an SMS message.
Malicious code gives the SIM card the command to "conquer" the phone and prepares it to execute various commands. All processes are carried out without the participation of the victim and he / she has no information about the notification and the processes caused. Incoming messages are not stored in the phone memory, and all commands and processes are executed in hidden mode.
After a small modification of the malicious code, the hacker can gain access not only to the location of the victim, but also make calls, send short USSD messages, hang up the SIM card, and run some single applications.
If you liked the topic give me a reaction
Countries where a SIMJACKER attack can be used
Security researchers have released a list of countries where it is possible to use a Simjacker attack.
AdaptiveMobile Security experts have published a list of countries in which it is possible to carry out a Simjacker attack. Experts say these countries sell SIM cards that are weaker against this attack and may be used during real attacks.
The essence of this attack is to obtain various necessary information about the user through the SIM card, such as the location of the object. Weakness has been used to carry out real attacks for two years now.
After a detailed analysis of the attacks, experts found that malicious code-bearing attacks revealed traces of organizations running spyware for the government.
The following countries are on the list of vulnerable operators:
For security reasons, the experts do not disclose the names of the operators.OTA SMS is sent to the user's device for the operator to adjust the network settings.
Cybersecurity researchers today revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.
Dubbed "SimJacker," the vulnerability resides in a particular piece of software, called the [email protected] Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.
What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries.
[email protected] Browser, short for SIMalliance Toolbox Browser, is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.
Since [email protected] Browser contains a series of STK instructions—such as send short message, setup call, launch browser, provide local data, run at command, and send data—that can be triggered just by sending an SMS to a device, the software offers an execution environment to run malicious commands on mobile phones as well.
How Does Simjacker Vulnerability Work?
Disclosed by researchers at AdaptiveMobile Security in new research published today, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.
- Retrieving targeted device' location and IMEI information,
- Spreading mis-information by sending fake messages on behalf of victims,
- Performing premium-rate scams by dialing premium-rate numbers,
- Spying on victims' surroundings by instructing the device to call the attacker's phone number,
- Spreading malware by forcing victim's phone browser to open a malicious web page,
- Performing denial of service attacks by disabling the SIM card, and
- Retrieving other information like language, radio type, battery level, etc.
"During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated," researchers explain.
"The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks."
"This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute."
Though the technical details, detailed paper and proof-of-concept of the vulnerability are scheduled to be released publicly in October this year, the researchers said they had observed real-attacks against users with devices from nearly every manufacturer, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.
According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.
Simjacker Vulnerability Being Exploited in the Wild
Researchers says, the Simjacker attack worked so well and was being successfully exploited for years "because it took advantage of a combination of complex interfaces and obscure technologies, showing that mobile operators cannot rely on standard established defences."
"Simjacker represents a clear danger to the mobile operators and subscribers. This is potentially the most sophisticated attack ever seen over core mobile networks," said Cathal McDaid, CTO, AdaptiveMobile Security in a press release.
"It's a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators, and impacts the national security of entire countries."
Moreover, now that this vulnerability has publicly been revealed, the researchers expect hackers and other malicious actors will try to "evolve these attacks into other areas."
Researchers have responsibly disclosed details of this vulnerability to the GSM Association, the trade body representing the mobile operator community, as well as the SIM alliance that represents the main SIM Card/UICC manufacturers.
The SIMalliance has acknowledged the issue and provided recommendations for SIM card manufacturers to implement security for [email protected] push messages.
Mobile operators can also immediately mitigate this threat by setting up a process to analyze and block suspicious messages that contain [email protected] Browser commands.
As a potential victim, it appears, there is nothing much a mobile device user can do if they are using a SIM card with [email protected] Browser technology deployed on it, except requesting for a replacement of their SIM that has proprietary security mechanisms in place.