A modern smartphone is less a phone than it is a collection of small computers housed in a very expensive glass and polished metal case. Those computers run a variety of software, much of which is invisible to the user, and software has bugs, some of which can be exploited in devastating ways.
Researchers have uncovered an arcane vulnerability in a piece of software buried deep in many mobile phones that can allow an attacker to gain control of a target phone surreptitiously, simply by sending a malicious SMS to the phone. The attack has been used by at least one group against victims in several countries and does not require the victim to click on a link in the message or visit an attacker-controlled website. The SMS contains a set of instructions for the SIM card, which is a tiny computer that gives the phone its identity and allows it to access data networks. Some cards hold a number of different applications on them that control low-level operations for the device. The attack that researchers at AdaptiveMobile Security observed and have named Simjacker exploits an issue with the SIMalliance Toolbox Browser, or S@T browser, an older piece of software on some SIM cards on GSM networks.
The researchers said they have seen the attack targeting phone numbers from a number of different countries. The specific attack that AdaptiveMobile has observed requires the target device to have the S@T Browser on the SIM card and to accept the kind of SMS messages that carry the instructions.
“This Simjacker Attack Message, sent from another handset, a GSM Modem or a SMS sending account connected to an A2P account, contains a series of SIM Toolkit (STK) instructions, and is specifically crafted to be passed on to the UICC/eUICC (SIM Card) within the device. In order for these instructions to work, the attack exploits the presence of a particular piece of software, called the S@T Browser - that is on the UICC,” Cathal Mc Daid, CTO of AdaptiveMobile, wrote in a post explaining the vulnerability and attack scenario.
“Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset. For the main attack observed, the Simjacker code running on the UICC requests location and specific device information (the IMEI) from the handset. Once this information is retrieved, the Simjacker code running on the UICC then collates it and sends the combined information to a recipient number via another SMS (we call this the ‘Data Message’), again by triggering logic on the handset. This Data Message is the method by which the location and IMEI information can be exfiltrated to a remote phone controlled by the attacker.”
"In short, the advent of Simjacker means that attackers of mobile operators have invested heavily in new attack techniques."
The result of the attack is that the remote adversary has access to a wide range of information on the exploited phone, including real-time location data, and also has the ability to send texts, make calls, open apps, and take other actions on the device. Mc Daid said most of the devices that the company has observed being targeted are attacked just once a week, although a small number are hit several times per week. This suggests that the attackers are not maintaining persistent access to the devices once they’re exploited.
“A few phone numbers, presumably high-value, were attempted to be tracked several hundred times over a 7-day period, but most had much smaller volumes. A similar pattern was seen looking at per-day activity, many phone numbers were targeted repeatedly over several days, weeks or months at a time, while others were targeted as a once-off attack,” Mc Daid said.
“These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time.”
Mc Daid, who plans to present more details on the vulnerability and attack at the Virus Bulletin conference next month, said the company has been working with mobile providers and network operators to address and mitigate the threat.
“We believe that the Simjacker attack evolved as a direct replacement for the abilities that were lost to mobile network attackers when operators started to secure their SS7 and Diameter infrastructure. But whereas successful SS7 attacks required specific SS7 knowledge (and access), the Simjacker Attack Message require a much broader range of specific SMS , SIM Card, Handset, Sim Toolkit, S@T Browser and SS7 knowledge to craft,” Mc Daid said.
“This investment has clearly paid off for the attackers, as they ended up with a method to control any mobile phone in a certain country, all with only a $10 GSM Modem and a target phone number. In short, the advent of Simjacker means that attackers of mobile operators have invested heavily in new attack techniques, and this new investment and skillset means we should expect more of these kinds of complex attacks.”