It’s long been speculated that it would be possible to take over a smartphone via a so-called simjacker exploit, which gains remote control of the SIM card. Security researchers have now discovered that governments have been actively using a simjacker attack for at least two years…
The attack method is as simple as sending a specially formatted text message to the target. That message won’t be displayed on the phone, but takes control of the SIM, and instructs it to reveal the location of the device — and potentially very much more.
TNW reports that the discovery was made by researchers from AdaptiveMobile Security.
Dublin-based firm AdaptiveMobile Security said the flaw — dubbed “Simjacker” — has been actively exploited for at least two years by a spyware vendor that works with governments to track individuals. The firm didn’t disclose the name of the company nor the individuals who may have been targeted in this way.
Given the attack works across all platforms, the vulnerability demonstrates the increasing sophistication of threat actors to undermine network security by taking advantage of obscure technologies.
“The attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands,” AdaptiveMobile Security said.
The TNW piece explains in detail how the attack works, but the essence of it is that SIM cards have an embedded browser that is intended for use by carriers. Essentially they can send instructions to the SIM to deliver things like ring tones. That is sent via a specially formatted SMS that is not shown to the user.
The SMS is not the regular kind, but another flavor called Binary SMS that’s used to deliver rich content, such as ringtones, telephone system settings, and WAP push text messages.
The device, upon receiving the SMS, blindly passes on the message to the SIM card without bothering to check its origin, following which the SIM card uses the S@T browser to execute the command — including requesting location and device information such as IMEI numbers.
“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated,” the researchers said.
While the primary attack detected involved the retrieval of mobile phone locations, the scope of Simjacker has considerably widened to “perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service, and espionage.”
The attack route is particularly problematic, because it relies on core standards-based functionality which is available across all platforms, so it doesn’t matter whether you have an iPhone, Android phone, or something else.
The security firm does acknowledge that not all carriers issue SIM cards with the browser-enabled. AT&T, Sprint, and T-Mobile have all said their SIMs don’t use the browser, while Verizon issued a less definitive statement.
After originally declining to comment and only giving an answer after being pushed, Verizon says "We have no indication to believe this impacts Verizon."
— Joseph Cox (@josephfcox) September 12, 2019
However, around a billion devices worldwide are believed to be vulnerable.