Security Red Alert: How Simjacker Puts Billions of Mobile Devices At The Mercy Of Hackers

In the past, we have seen SIM jacking attacks, where a hacker can impersonate a targeted victim to steal the cell phone number, which then can be used to access the victim’s unprotected assets. But, now cybersecurity researchers at AdaptiveMobile Security have identified a critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims without their knowledge just by sending an SMS. The vulnerability has been named ‘Simjacker’. The difference between SIM jacking and Simjacker vulnerability is that the former is a process that involves the impersonation of individuals using their SIM card information. AdaptiveMobile Security says this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance.

How Is The Attack Carried Out?

The Simjacker attack involves an SMS containing a particular kind of malicious code being sent to a mobile phone, which then instructs the universal integrated circuit card (UICC) or SIM Card inside the phone to be able to control the mobile phone to retrieve and execute sensitive commands. The attack starts when a Simjacker Attack Message is pushed to a targeted handset from another remote device which contains a series of SIM Toolkit (STK) instructions specifically designed to be passed on to the SIM Card within the device. In order for these instructions to work, the attack exploits a kind of software, called the S@T Browser which is found on the SIM card. Once the Simjacker Attack Message is received by the SIM card, it uses the S@T Browser library as an execution environment on the SIM card, where it can trigger logic on the handset.

For the main attack, the Simjacker code running on the SIM card requests location and specific device information (the IMEI) from the handset. Once this information is retrieved, the Simjacker code running on the SIM card then collects it and sends the combined information to a remote phone controlled by the attacker, again by triggering logic on the handset. During the attack, the user is completely unaware that they received the SMS with the Simjacker Attack message, that information was retrieved, and that it was sent outwards as there is no indication in any SMS inbox or outbox. By using the same technique, and by modifying the SMS the attackers can instruct the SIM card to execute an array of other types of attacks. Researchers at AdaptiveMobile Security were able to make targeted handsets open up web browsers, ring other phones, send text messages and so on by using the commands in their own tests. Researchers found that attackers can perform malicious activities like opening a browser and redirect to malicious webpages to install malware on the phone.

Image Source: AdaptiveMobile Security

What May Be The Impact?

In theory, all makes and models of mobile phones are open to attack as the vulnerability is linked to a technology embedded on SIM cards. The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.  Many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the SIM card and not the device.

Cathal McDaid, Chief Technology Officer of AdaptiveMobile Security explained, “Simjacker represents a clear danger to the mobile operators and subscribers. This is potentially the most sophisticated attack ever seen over core mobile networks. It’s a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators and impacts the national security of entire countries.”

Who’s Behind The Attack?

This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor specific set of individuals. Adaptive Mobile Security has also found that the same company has extensive access to the SS7 tools as some of the same Simjacker victims were being targeted using attacks over the SS7 network as well, with SS7 attack methods being used as a fall-back method when Simjacker attacks do not succeed,  Adaptive Mobile Security reported. SS7 known as Signalling System 7 is a set of signalling protocols which make sure that the network provider knows to which sim it should send the signals. In 2014, became more popular when it was found that NSA was involved in exploiting the weakness of SS7 protocols to track and trace mobile data belonging to millions of US citizens. SS7 protocols

“We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals. Based on previous intelligence, it is likely that these attacks originated from a surveillance company which works with governments, to track and monitor individuals; bypassing existing signalling protection. Using our collection of Signalling Intelligence (SIGIL) we were able to correlate this Simjacker-related SS7 activity with a group we have already detected attempting to attack targets via SS7 means around the world.” Cathal Mc Daid, CTO of AdaptiveMobile Security stated.

Legacy S@T Browser On The SIM Card Is To Be Blamed

While specific SMS messages targeting SIM cards have been demonstrated in the past on how they could be exploited for malicious purposes, the Simjacker attack takes a different approach, and greatly simplifies and expands the attack by relying on the S@T Browser or SIMalliance Toolbox Browser, an application specified by the SIMalliance , and can be installed on a variety of SIM cards, including eSIMs. This S@T Browser software is not well known, is quite old, and its initial purpose was to enable services such as getting your account balance through the SIM card. Globally, its function has been mostly superseded by other technologies, and its specification has not been updated since 2009, however, like many legacy technologies it is still been used while remaining in the background. In this case we have observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards.

Overview

Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. Adaptive Mobile Security recommends that immediate threat is for mobile operators to analyse and block suspicious messages that contain S@T Browser commands. According to Adaptive Mobile Security analysts, mobile Operators can also change the security settings of SIMs or even uninstall and stop using the S@T Browser technology completely, but this may be slower and considerably more difficult to do. Simjacker also means that mobile operators will need to constantly investigate suspicious and malicious activity to discover hidden attacks. Operators will also need to increase their own abilities and investment in detecting and blocking these attacks as the attackers have expanded their abilities beyond simply exploiting unsecured networks, to now cover a very complex mix of protocols, execution environments and technologies.