Cybersecurity researchers have warned of a critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims without their knowledge just by sending an SMS.
Dublin-based firm AdaptiveMobile Security said the flaw — dubbed “Simjacker” — has been actively exploited for at least two years by a spyware vendor that works with governments to track individuals. The firm didn’t disclose the name of the company nor the individuals who may have been targeted in this way.
Given the attack works across all platforms, the vulnerability demonstrates the increasing sophistication of threat actors to undermine network security by taking advantage of obscure tecnologies.
“The attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands,” AdaptiveMobile Security said.
The researchers have responsibly disclosed the flaw to GSM association (GSMA) and SIMalliance, the governing organizations overseeing mobile operators worldwide and seeking to improve the security of mobile services.
What is S@T?
The vulnerability resides in what’s called the S@T browser, embedded on most SIM cards as part of SIM Application Toolkit (STK) widely used by GSM mobile operators across the world to provide value-added services to customers.
S@T — short for SIMalliance Toolbox Browser — is a microbrowser (aka mobile browser) designed to be used on mobile devices, especially on phones that support Wireless Application Protocol (WAP), a common standard for accessing the internet since the early 2000s.
The browser — stored as an executable application on the SIM card residing inside a GSM mobile phone — offers mobile service providers an interactive means to allow users access web applications such as email, stock prices, news, and sports headlines.
With modern mobile browsers such as Chrome, Firefox, and Safari now capable of supporting full HTML web pages, WAP — and by extension S@T — has been deemed largely obsolete.
But AdaptiveMobile said it found the S@T browser technology active on mobile operators in at least 30 countries, with a combined population of over one billion. That doesn’t automatically make everyone susceptible, as it’s very much possible that mobile operators are no longer using SIM cards containing the vulnerable S@T browser.
Disclosing that the attacks are happening on a daily basis, the researchers also said a few phone numbers had been tracked hundred times over a 7-day period, implying they were high-profile targets.
How does the attack work?
At a high level, the vulnerability works by leveraging a GSM modem — available for as cheap as $10 — to send malicious messages to handsets that still use the S@T browser functionality in order to trigger specially crafted STK commands.
Here is some comment from the GSMA. It doesn’t have data on which countries were impacted (although others likely will) pic.twitter.com/itTNAXjGAH
— Joseph Cox (@josephfcox) September 12, 2019
The device, upon receiving the SMS, blindly passes on the message to the SIM card without bothering to check its origin, following which the SIM card uses the S@T browser to execute the command — including requesting location and device information such as IMEI numbers.
“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated,” the researchers said.
While the primary attack detected involved the retrieval of mobile phone locations, the scope of Simjacker has considerably widened to “perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage.”
SIMalliance, for its part, has rolled out fresh recommendations to cellular carriers to implement additional security for S@T push messages by filtering such illegitimate binary SMSes.
As ZDNet notes, Simjacker attacks have been theorized at least since 2011. But this is the first time they have been exploited via complex techniques to enable surveillance.
“Now that this vulnerability has been revealed, we fully expect the exploit authors and other malicious actors will try to evolve these attacks into other areas,” AdaptiveMobile Security’s chief technology officer Cathal Mc Daid said.
Update on Oct. 14, 9:00 AM IST: AdaptiveMobile Security has officially disclosed that the S@T Browser technology is being used by at least 61 mobile operators in at least 29 countries, including Mexcio, Brazil, Argentina, Nigeria, Italy, Saudi Arabia, and Iraq.
“We have only detected the Simjacker vulnerability being exploited against subscribers from 3 countries – Mexico, Colombia and Peru so far,” the company said.