Jump to content

Simjacker

From Wikipedia, the free encyclopedia

Simjacker is a cellular software exploit for SIM cards discovered by AdaptiveMobile Security.[1] 29 countries are vulnerable according to ZDNet.[2] The vulnerability has been exploited primarily in Mexico, but also Colombia and Peru, according to the Wall Street Journal,[3] where it was used to track the location of mobile phone users without their knowledge.

History

[edit]

The vulnerability was discovered and reported to the GSM Association through its coordinated vulnerability disclosure process by Cathal Mc Daid of AdaptiveMobile Security in 2019.[4] It was first reported publicly on 12 September 2019.[5] A technical paper and presentation was made available at the VirusBulletin conference on 3 October 2019.[6][7]

Technical information

[edit]

The attack works by exploiting a vulnerability in a UICC/SIM card library called the S@T Browser.[8] A specially formatted binary text message is sent to the victim handset, which contains a set of commands to be executed by the S@T Browser environment in the UICC. As the S@T Browser environment has access to a subset of SIM Toolkit commands, the attackers used this vulnerability to instruct the UICC to request IMEI and location information from the handset via SIM Toolkit commands. Once this was obtained the UICC then instructs the handset to exfiltrate this information to the attackers within another text message. Other types of attacks are also possible using the S@T Browser, such as forcing a mobile device to open a webpage or to make a phone call.[9]

The attack differed from previously reported SIM card attacks as those required the SIM key to be obtained.[10] The Simjacker attack does not require a SIM key, only that the SIM card has the S@T Browser library installed on it, and that the binary messages containing the S@T Browser commands can be sent to the victim.

Simjacker was registered in the Common Vulnerabilities and Exposures database as CVE-2019-16256[11] and CVE-2019-16257,[12] and by the GSM Association in its Coordinated Vulnerability Disclosure process as CVD-2019-0026[13]

Impact

[edit]

The vulnerability was estimated to affect UICCs in at least 61 mobile operators in 29 countries, with estimates between a few hundred million to over a billion[14] SIM cards affected. The researcher reported that the most probable, conservative estimate is that mid to high hundreds of millions of SIM cards globally are affected.[15]

The vulnerability was being actively exploited primarily in Mexico, with thousands of mobile phone users being tracked by a surveillance company over the previous 2 years using this exploit.[16]

Mitigation

[edit]

Mobile phone users can use a tool from SRLabs to see if their SIM card is vulnerable.[17]

References

[edit]
  1. ^ Goodin, Dan (2019-09-12). "Hackers are exploiting a platform-agnostic flaw to track mobile phone locations". Ars Technica. Retrieved 2021-03-15.
  2. ^ Cimpanu, Catalin. "These are the 29 countries vulnerable to Simjacker attacks". ZDNet. Retrieved 2021-03-15.
  3. ^ Olson, Parmy (2019-09-13). "Hackers Use Spyware to Track SIM Cards". Wall Street Journal. ISSN 0099-9660. Retrieved 2021-07-28.
  4. ^ "GSMA Mobile Security Research Acknowledgements". Security. Retrieved 2021-07-28.
  5. ^ "Simjacker – Next Generation Spying Over Mobile | Mobile Security News | AdaptiveMobile". blog.adaptivemobile.com. 11 September 2019. Retrieved 2021-07-28.
  6. ^ "Simjacker Technical Paper". www.adaptivemobile.com. Retrieved 2021-07-28.
  7. ^ "Virus Bulletin :: Simjacker - the next frontier in mobile espionage". www.virusbulletin.com. Retrieved 2021-07-28.
  8. ^ "Simjacker - Frequently Asked Questions and Demos | Mobile Security News | AdaptiveMobile". blog.adaptivemobile.com. 11 September 2019. Retrieved 2021-07-28.
  9. ^ "Virus Bulletin :: Simjacker - the next frontier in mobile espionage". www.virusbulletin.com. Retrieved 2021-07-28.
  10. ^ Black Hat 2013 - Rooting SIM Cards, 19 November 2013, retrieved 2021-07-28
  11. ^ "NVD - CVE-2019-16256". nvd.nist.gov. Retrieved 2021-07-28.
  12. ^ "NVD - CVE-2019-16257". nvd.nist.gov. Retrieved 2021-07-28.
  13. ^ "GSMA Mobile Security Research Acknowledgements". Security. Retrieved 2021-07-28.
  14. ^ September 2019, Anthony Spadafora 13 (2019-09-13). "Simjacker attack could affect a billion smartphones". TechRadar. Retrieved 2021-07-28.{{cite web}}: CS1 maint: numeric names: authors list (link)
  15. ^ "Simjacker - VB2019 Presentation" (PDF).
  16. ^ "Majority of Simjacker Attacks Aimed at Mobile Phones in Mexico | SecurityWeek.Com". www.securityweek.com. Retrieved 2021-07-28.
  17. ^ "New SIM attacks de-mystified, protection tools now available". www.srlabs.de. Retrieved 2021-07-28.
[edit]