- The attack works on SIM cards which use a legacy technology called S@T Browser.
- The S@T Browser includes 4 different protocols, one of which does not have any security level associated with it.
A new vulnerability named Simjacker is believed impacting hundreds of millions of SIM cards provided by roughly 61 different mobile operators. The vulnerability can allow remote attackers to compromise targeted mobile phones and spy on victims without their knowledge.
Where does the problem lie?
Identified by researchers from AdaptiveMobile Security, the vulnerability is highly exploited against subscribers from three countries - Mexico, Colombia, and Peru.
The attack works on SIM cards which use a legacy technology called S@T Browser. This S@T Browser is used by at least 61 mobile operators in 29 different countries. Researchers note that the technology is widely used by operators despite not being updated since 2009.
The S@T Browser includes 4 different protocols, one of which does not have any security level associated with it.
“The commands used in these attacks: Push messages, didn’t have any security level associated with them. This lack of a recommendation or specification meant that no security was associated with these commands in practice and that any source could send S@T Browser messages, that would run on the SIM card with no authentication,” researchers explained.
What devices are impacted?
All Android, iOS, and IoT devices embedded with the SIM card technology - S@T Browser - are vulnerable to Simjacker.
How is the vulnerability exploited?
- The vulnerable S@T Browser is exploited via specific SMSs called SIM OTA SMS. The S@T Browser processes special SIM Toolkit (STK) instructions contained in SMS messages.
- An SMS containing a particular kind of malicious code or specially crafted message is sent to a mobile phone, which then instructs the universal integrated circuit card (UICC) or SIM card inside the phone.
- Once the message, which is a set of instructions is executed by the SIM card within the subscriber’s mobile handset, it retrieves several sensitive information.
- This specially crafted message can be used to instruct the device to play a tone, send text messages, make phone calls, provide system information, launch a web browser, share geographical information and exfiltrate data.
Who is behind the attack?
The vulnerability is currently exploited in several regions in South and Central America, a small part of West Africa, Italy, Bulgaria, and the Middle East.
AdaptiveMobile Security has uncovered a specific SS7 threat actor group that works with the government to monitor the activities of individuals is behind the attack. The group is responsible for executing worldwide attacks on targets from multiple countries over the SS7 network.
Researchers indicate that the group has been active since at least 2015.
What is being done to block the attack?
AdaptiveMobile along with GSMA Association have provided specific information to prevent and block these attacks. In addition, the SIMalliance has also made some updates for S@T Browsers to improve the security of the application.