AdaptiveMobile Security (a company that provides cyber security services to the telecoms industry) yesterday announced the discovery of a major and previously undetected security loophole in SIM cards that allows remote attackers to hijack and spy on targeted mobile phones users just by sending an SMS. The loophole and its associated attacks have been named Simjacker. The loophole is believed to have been actively exploited for at least the last 2 years to carry out covert surveillance attacks on victims in multiple countries.
How does Simjacker loophole work?
The attack stems from an application in SIM cards called S@T Browser (SIMalliance Toolbox Browser). This technology, is designed to allow mobile carriers (such as MTN, Glo, O2, etc) provide some basic services, value-added services and subscriptions over-the-air to their customers, including opening browsers on the phone as well as other functions like setting up calls, playing ring tones and more. The attack begins when a text message (attack message) is sent to the targeted mobile phone. During the attack, the user is completely unaware that they received a malicious text message, that information was retrieved and sent outwards – there is no indication in your SMS inbox or outbox.
We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals. This same company also have extensive access to the SS7 and Diameter core network, as we have seen some of the same Simjacker victims being targeted using attacks over the SS7 network as well, with SS7 attack methods being used as a fall-back method when Simjacker attacks do not succeed.
The S@T Browser application on the SIM card offers an execution environment to run malicious commands on mobile phones. According to AdaptiveMobile Security researchers, Simjacker could be further exploited to perform many other types of attacks against individuals and mobile operators such as:
- Disinformation campaigns (by sending SMS/MMS with attacker controlled content)
- Fraud (using the hijacked SIM to scam others)
- Espionage (an attacked device could function as a listening device, by ringing a number)
- Malware spreading (by forcing a browser to open a web page with malicious content)
- Denial of service (by disabling the SIM card)
- Information retrieval (retrieve other information like language, radio type, battery level etc.)
How can we mitigate these kind of attacks?
To mitigate against the attack, SIM card manufacturers are advised to implement security for S@T push messages. Mobile network operators are generally advised to setup a process to analyze and block suspicious messages that contain S@T Browser commands. AdaptiveMobile Security noted that they have been working with their mobile operator customers (which includes MTN, AT&T and 3) to block these attacks.
For high risk mobile phone users, it’s important for you to find out if you are using SIM cards with S@T Browser technology deployed in your network. If that is the case, then there is not much you can do except to request for SIM replacement that has proprietary security mechanisms in place.
