Simjacker: The Next Generation of Security Vulnerability
AdaptiveMobile Security sent shock waves through the IT and security communities by announcing the discovery of a brand-new form of high-tech crime they are calling Simjacker. In a blog post on Sept. 12, AdaptiveMobile Security says, “Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. It represents a considerable escalation in the skillset and abilities of attackers seeking to exploit mobile networks (McDaid, 2019).”
A Simjacker attack involves sending an SMS containing a unique kind of spyware code sent to a victim’s mobile phone. Simjacker’s code instructs the phone’s SIM card (UICC) to take over the phone, to perform commands, and retrieve sensitive information.
The authors of the report believe that the Simjacker vulnerability has been exploited for at least the last two years by an extremely sophisticated actor in multiple countries, primarily for surveillance. The new attack is highly technical. The researchers inform the public about how it works by explaining:
“The attack begins when a SMS - that we term the Simjacker ‘Attack Message’ - is sent to the targeted handset. This Simjacker Attack Message, sent from another handset, a GSM Modem or a SMS sending account connected to an A2P account, contains a series of SIM Toolkit (STK) instructions, and is specifically crafted to be passed on to the UICC/eUICC (SIM Card) within the device. In order for these instructions to work, the attack exploits the presence of a particular piece of software, called the S@T Browser - that is on the UICC. Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset (McDaid, 2019).”
The Simjacker spyware code running on a SIM card most commonly retrieves the victim’s location and specific device information (also known as IMEI). Simjacker then collates the information and sends the data back to a recipient number that the attacker can access remotely by phone. Under most circumstances, the user is entirely unaware that they received or sent SMS to the attacker in their SMS inbox or outbox.
AdaptiveMobile Security explains some of Simjacker’s technical details by saying, “Specific SMS messages targeting UICC (SIM) cards have been demonstrated before on how they could be exploited for malicious purposes. The Simjacker attack takes a different approach, and greatly simplifies and expands the attack by relying on the S@T Browser software as an execution environment. The S@T (pronounced sat) Browser – or SIMalliance Toolbox Browser to give it its full name – is an application specified by the SIMalliance, and can be installed on a variety of UICC (SIM cards), including eSIMs (McDaid, 2019).”
The S@T Browser software is a legacy technology that was designed to enable features like accessing an account balance on a SIM card during the flip-phone era. The software has not been updated since 2009 and has since been surpassed by many newer technologies released during the 3G and 4G eras.
Similar to other legacy technologies, it remains unused but runs in the background of most phones. The authors of the Simjacker report say that the S@T protocol is being used by mobile phone companies in over 30 countries, affecting over a billion mobile phone users worldwide.
The authors emphasize the leap that Simjacker attacks have made compared to other kinds of malware. They say that Simjacker could be the first real-life case of malware sent within an SMS. Previous generations of attacks involved sending links to malware, but with Simjacker the malware is in the SMS itself.
By modifying the attack message in the SMS, Simjacker can instruct SIM cards to execute other types of attacks by having access to STK command sets. The Simjacker report names the following STK commands as:
- Play Tone
- Send Short Message
- Set Up Call
- Send USSD: Unstructured Supplementary Service Data (USSD is a Global System for Mobile (GSM) communication technology that is used to send text between a mobile phone and an application program in the network. USSD is similar to Short Messaging Service (SMS), but, unlike SMS, USSD transactions occur during the session only (Rouse, 2007).
- Provide Local Information (Location Information, IMEI, Battery, Network Language, etc.)
- Send DTMF Command: DTMF (dual tone multi frequency) is the signal to the phone company that you generate when you press an ordinary telephone's touch keys. In the United States and it's known as "Touchtone" phone (formerly a registered trademark of AT&T). DTMF has generally replaced loop disconnect ("pulse") dialling (Rouse, 2005).
- Launch Browser
The researchers used these commands in their own tests and were able to open web browsers, make calls, and send text messages. They say that Simjacker attacks could be used for:
- Mis-information (e.g., by sending SMS/MMS messages with attacker-controlled content)
- Fraud (e.g., by dialing premium-rate numbers),
- Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
- Malware spreading (by forcing a browser to open a web page with malware located on it)
- Denial of service (e.g., by disabling the SIM card)
- Information retrieval (retrieve other information like language, radio type, battery level, etc.)
The report says that the attacks work independently of handset types because the code targets the SIM (UICC) and not the device. Researchers were able to successfully retrieve the user’s location from nearly every device manufacturer, including Apple, Google, Samsung, Huawei, Motorola, and ZTE.
AdaptiveMobile Security says that Simjacker was developed by an unidentified private company that works with national governments to monitor individuals. They say that the private company has extensive access to the SS7 and Diameter core network, claiming to have seen phone numbers from serval countries being targeted in Simjacker attacks. The authors say that in one country alone, 100-150 specific individual phone numbers are being targeted per day.
To help solve the Simjacker vulnerability, the researchers have taken several steps and given recommendations that include:
- Communication with the GSM Association (the trade body representing the mobile operator community) about the existence of the Simjacker vulnerability. The vulnerability has been managed through the GSMA CVD program, allowing information to be shared throughout the mobile community.
- Information was also shared with the SIM alliance (a trade body representing the main SIM Card/UICC manufacturers). The SIM alliance has since made new security recommendations for the S@T Browser technology.
- Recommendations include asking mobile operators to analyze and block suspicious messages that contain S@T Browser commands.
- Other recommendations include getting mobile operators to change the security settings of SIM cards (UICCs) in the field remotely, or even uninstall and stop using the S@T Browser technology completely.
- As the attackers have expanded their abilities beyond simply exploiting unsecured networks, to now cover a very complex mix of protocols, execution environments and technologies to launch attacks with, operators will also need to increase their own abilities and investment in detecting and blocking these attacks.
- For mobile operators, this also means that relying on existing recommendations will not be sufficient to protect themselves, as attackers like these will always evolve to try to evade what is put in place. Instead, mobile operators will need to continually investigate suspicious and malicious activity to discover ‘hidden’ attacks.
McDaid, C. (September 12, 2019). Simjacker – Next Generation Spying Over Mobile. AdaptiveMobile Security. Retrieved from https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile
Rouse, M. (2005). What Is Dtmf (Dual Tone Multi Frequency)? SearchNetworking. Retrieved from https://searchnetworking.techtarget.com/definition/DTMF
Rouse, M. (2007). What Is USSD (Unstructured Supplementary Service Data)? SearchNetworking. Retrieved from https://searchnetworking.techtarget.com/definition/USSD
If you are based in Canada and looking for a Canadian Bitcoin exchange, then take a look at NDAX. NDAX is an easy-to-use, beginner-friendly exchange that can give you easy access to trade Bitcoin and other cryptocurrencies like Ethereum, Ripple, Litecoin, Cardano, Dogecoin, EOS and Stellar.