Researchers at AdaptiveMobile Security are sounding the alarm about a major vulnerability in mobile sim cards. Dubbed “Simjacker” by the researchers in their dedicated webpage on the issue, the vulnerability opens up roughly 1 billion mobile users to spying from governments. These users are in numerous parts of the globe, spanning nearly every continent. Simjacker is being leveraged by currently unidentified governments through an unnamed private company that initiates the attack via SMS messaging.
The specific vulnerability that Simjacker targets is roughly two years old and is directly related to the S@T Browser. AdaptiveMobile Security describes the exploit as follows:
The attacks exploit the ability to send SIM Toolkit Messages and the presence of the S@T Browser on the SIM card of vulnerable subscribers. (The S@T Browser is normally used for browsing through the SIM card.) The Attack messages use the S@T Browser functionality to trigger proactive commands that are sent to the handset. The responses to these commands are sent back from the handset to the SIM card and stored there temporally. Once the relevant information is retrieved from the handset, another proactive command is sent to the handset to send an SMS out with the information.
The way the Simjacker attack works is the company, under direction from nation-states, sends an SMS that contains spyware. The spyware then, according to researchers, “instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.” The commands include forcing the infected phone to reveal sensitive data (such as location data), join a botnet for DDoS attacks, spread malware, and intercept calls.
With the billion users overwhelmingly being civilians, this Simjacker situation eerily feels like Edward Snowden’s whistleblowing about the NSA’s PRISM program all over again. Information is what Big Brother craves, and with it not being known just how many governments are involved, this could be one of the biggest espionage operations ever conducted through exploiting mobile vulnerabilities. AdaptiveMobile Security feels that they have merely hit the tip of the iceberg with this Simjacker discovery, and honestly, they are likely correct.
The effects of Simjacker will be monitored closely and any relevant updates will be reported on.
Featured image: Flickr / Jinx!
