The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in at least 30 countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.
The scary part of the story is that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.
The S@T Browser application is installed on multiple SIM cards, including
Since S@T Browser implements a series of STK instructions (i.e.
The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.
The attacker could exploit the flaw to
The experts explained that the attack is transparent for the users, the targets are not able to notice any anomaly.
“The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.” continues the post.
“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully
The experts revealed that they observed SimJacker attacks against users with most popular mobile devices manufactured by Apple, Google, Huawei, Motorola, and Samsung.
According to the researchers, almost any mobile phone model is vulnerable to the SimJacker attack because it leverages a component on SIM cards and its specifications are the same since 2009.
“The Simjacker vulnerability could extend to over 1 billion mobile phone users globally, potentially impacting countries in the Americas, West Africa, Europe, Middle East and indeed any region of the world where this SIM card technology is in use.” states the post.
The researchers plan to disclose technical details of the attack at the VB2019 London conference, in October 2019.
“It’s a major wake-up call that shows hostile actors are investing heavily in increasingly complex and creative ways to undermine network security. This compromises the security and trust of customers, mobile operators, and impacts the national security of entire countries.”
Security experts believe that the public disclosure of the SimJacker attack could allow threat actors to use it in operations and there is the concrete risk that that can also evolve this technique.
The experts reported their discovery to the GSM Association and the SIM alliance, the latter published a list recommendations for SIM card manufacturers. The SIMalliance recommends implementing security for S@T push messages.
Mobile operators can also mitigate the attack by analyzing and blocking suspicious messages that contain S@T Browser commands.