AdaptiveMobile Security, one of the world’s leading providers of mobile network security, has just released details of a new vulnerability. The said vulnerability can potentially affect more than a billion phones. A simple SMS is enough to take control of a device and track victims. The researchers named it SIM Jacker, and say they have already seen several practical cases. According to the researchers, the flaw was exploited by a company that works with governments to monitor individuals.
By sending an SMS message containing a specific code to a mobile phone, the SIM card receives instructions to take control of the device and execute particular commands or recover data. The attack uses the software contained in the SIM card called “S@T Browser,” which can interact with the mobile to retrieve information.
A system that could be exploited by many criminal groups
The researchers were able to confirm that vulnerability is currently being utilized in a very effective way. “In one country, we see about 100-150 specific mobile numbers targeted per day by Simjacker attacks, with peaks of 300 numbers in one day. “Besides, this system could send messages to victims containing false information, call overcharged numbers, serve as a spy system via the microphone by calling a specific number, install malware via the browser, retrieve other information about the device or disable the SIM card entirely to block the mobile.”
The researchers shared their results with the GSM Association and SIM alliance organizations to alert operators and improve the security of the new SIM cards. In the meantime, operators will have to analyze the messages to block suspicious SMS messages. They could also change the security settings of the SIM cards and uninstall the “S@T Browser” remotely, but this may be quite difficult and time-consuming.
An utterly invisible SMS attack for the victim
In the main attack discovered by the researchers, the victim’s mobile phone receives an SMS designed not to trigger a notification. The system retrieves the IMEI number of the device, as well as information about the base station to which it is connected, and sends the data back in another SMS. SMS messages are not visible at any time to the victim, leaving no trace in the mobile phone’s inboxes or send boxes. By identifying the base station, the SMS author can locate an individual with an accuracy that increases, the denser the mesh size of the relay antennas. Location data are therefore much more accurate in cities than in the countryside.
The “S@T Browser” is quite old, not updated since 2009, and is found in most SIM cards, including eSIMs. It is intended in particular to add functions such as consulting your bank balance via your SIM card. It is used by operators in more than 30 countries, representing a potential market of nearly a billion people. The functions that can be operated remotely are not limited to the location of the device since the attacker can use a complete list of STK commands. The researchers were able to open the browser, make calls, send messages.