This post should not be confused with my previously written article about SIM-jacking and should be taken way more seriously. Researchers at AdaptiveMobile Security recently went public with a new but silent threat: Simjacker. To qualify the more serious threat factor, this attack is advanced and reveals a flaw within SIM card implementations, as well as requiring minimal user interaction – if at all. It leaves no trace of targeting or attacking a cellular device.
Sparing the technical details, this attack starts with threat actors forming a special SMS message that targets the victim’s SIM card. When the message is retrieved by the victim’s phone, it exploits what’s known as the S@T Browser that’s located on the SIM card itself. The S@T Browser is essentially an interface into the SIM card’s stored commands. Therefore, the SIM cards’ preloaded commands are readily available to the attacker. After the SIM card gets the message, the attacker uses the S@T Browser library to execute further malicious actions such as requesting the phone reply back with a devices IMEI number and location. A worthy note here is that the SIM card operates independently than the handset itself, so messages sent this way do not even appear in a user’s messaging inbox.
AdaptiveMobile Security’s researchers have claimed that this may be the first real-life case of malware being sent via SMS. Previous SMS malware was phishing attempts of sorts, linking unsuspecting victims to an attacker-controlled web server. In Simjackers case, the payload is actually stored within the SMS itself. ZDNet states that this theorical attack tactic was known back in 2011 when a Romanian security researcher by the name of Bogdan Alecu first described how one could abuse these commands.
Target device models include many top brand phones: Apple, Samsung, Google, etc. The threat was identified in 30 countries whose populations add up to over 1 billion people. ZDNet claims that a source informed them that the targeted countries are within the Middle East North Africa (MENA) region, with some in Asia as well as Eastern Europe.
As for blocking this attack, researchers propose disabling S@T Browser functionality all together, it’s an almost obsolete technology anyway and its specification hasn’t been updated since 2009. Further, after researchers reported these issues to SIMalliance, the body which specified this application, SIMalliance has proposed a few fixes as well. For instance, blocking illegitimate binary SMS messages at the network level is a start. Another option is securing the SIM card via the Minimum Security Level, which specifies the level of security to be applied to packets sent to a receiving application. You can read more about this on page 8 of this technical specification paper.