Cybersecurity Endpoint Featured IoT & ICS Security Malware Mobile Security News Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

Simjacker: Silly Name, Scary Game

by Richi Jennings on September 13, 2019

Researchers have found a new flaw in many mobile phone SIM cards. “Simjacker” allows an attacker to locate a target device, send text messages, plus make and intercept calls.

The underlying cause seems to be legacy features from the 1990s that are no longer needed. Simjacker is thought to affect more than a billion phones and IoT devices that use SIMs and eSIMs.

But it’s yet another tedious case of researchers making up daft names for vulnerabilities. In today’s SB Blogwatch, we say this must stop.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: vape scaremongering?

SIMplicity, Please

What’s the craic? Lindsey O’Donnell reports—“1B Mobile Users Vulnerable”:

 A vulnerability discovered in mobile SIM cards is being actively exploited to track phone owners’ locations, intercept calls and more – all merely by sending an SMS message to victims, researchers say. … The glitch has been exploited for the past two years … and impacts several mobile operators, with the potential to impact over a billion mobile phone users … in at least 30 countries.

Threat actors can send messages to victims … to trigger proactive commands. … These messages contain a series of SIM Toolkit (STK) instructions [that] can trigger logic on the handset … attackers can launch an array of attacks … including: location tracking, fraud, denial of service, malware spreading and call interception.

Ugh. “Simjacker”? Really? Paul Wagenseil discovers, “How to get your phone to give up your location”:

 We’re not halfway through September, but we’ve already got a prime candidate for Best Branded Bug of the Year. … It’s got its own logo (a mean-looking SIM card). It’s got its own website. And its finder, Dublin-based Adaptive Security, evokes Dr. Evil.

[But] Simjacker does not involve SIM-swapping, aka SIM-jacking. … It’s being used by an unnamed spyware firm to track high-value targeted individuals on behalf of intelligence and police agencies around the world.

[It] works because [STK] can give SIM cards a lot of power over the phones that use them [including accessing] the internet on their own so that the STK can be updated over the air. You may cringe at the prospect. … And you’d be right.

So not much “jacking” going on? cypres agrees with the criticism of the fancy name:

 Misleading. No “hijacking” is taking place, they are obtaining the Cell ID (approximate location) and IMEI info from the phone, by sending it a malicious SMS.

Should you believe the hype? Adaptive Security’s Cathal McDaid calls it, “Next Generation Spying”:

 We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance. [It] has been developed by a specific private company that works with governments to monitor individuals.

This same company also has extensive access to the SS7 and Diameter core network. … We were able to correlate this Simjacker-related SS7 activity with a group we have already detected attempting to attack targets via SS7 means around the world.

The Simjacker exploit represents a huge … leap in complexity from previous SMS or SS7/Diameter attacks, and show us that the range and possibility of attacks … are more complex than we could have imagined in the past.

Any US networks vulnerable? Joseph Cox—@josephfcox—says not:

 This is a pretty wild attack. … Because it’s SIM card, its platform agnostic. Being used by a company that sells surveillance capabilities to governments.

Sprint says it is not impacted by this attack because it “does not use the vulnerable S@T browser on Sprint SIM cards.”

AT&T says “This is not something we use in the U.S., so we are not affected here.”

After originally declining to comment … Verizon says “We have no indication to believe this impacts Verizon.”

Statement from T-Mobile: … “Our security team was aware of this particular issue and took steps [including] verifying with our SIM vendors that we do not install or enable the S@T browser.”

Sounds like layers of legacy. burne_ spelunks the archeology:

 The UICC is a small computer in the SIM [card]. It contains a few credentials to identify you to the network, and for your UICC to validate the network as legitimate.

It needs to communicate with you [so] the choice was made to do this in Java. Since it’s a computer, and one running Java Card, carriers can install programs on it.

On an iPhone I have a menu item ‘simapps’ under ‘mobile network’. One of my choices is a something called ‘wallpapers, ringtones and java games’. It displays a rudimentary menu.

I’m guessing this is an app from the nineties, when WAP was hot. All one would need is a single exploitable bug in one of these 25 year old unmaintained apps.

And fuzzyfuzzyfungus adds mulch:

 Your SIM and baseband cooperate closely with your telco because that’s what makes [it a] cellphone not just a PDA. If it didn’t provide the required authentication and similar capabilities you wouldn’t be able to connect to the cellular network.

[But] the combination of historical baggage and scope creep that ended up with UICCs defined as being capable of acting as a … baseline application platform that the carrier can guarantee will be available. … That may have been a good idea back in 2001, when your alternatives for enabling mobile applications on [a] motley collection of dumbphones running assorted feeble and proprietary environments … were pretty limited.

What they actually have [now] is about as sane as having a dedicated processor embedded in your NIC, running some antique applications so that your ISP can run an app store regardless of what OS the computer is using.

But why won’t they say who’s behind it? Ungrounded Lightning floats without a reference, potentially: [You’re fired—Ed.]

 Probably because they are “quite confident” they know who did it, but don’t have enough evidence to defend themselves from a defamation suit by a deep-pockets security vendor in a battle for its life, backed by multiple state-level operations.

By disclosing the attack information they are raising a volunteer army to spike the operation and/or bring the suit.

Yet this Anonymous Coward adds 2+2:

 Most spyware vendors are based in Israel and the article lists Middle East countries as having vulnerable telcos. Connect the dots.

And Admiral Krunch whistles this idea:

 Which country has a billion people, an oppressive regime and is worried about dissidents?

coughChina.

Meanwhile, are you thinking what archi42’s thinking?

 Another nail in the coffin of SMS 2FA.

And Finally:

Should you avoid vaping?

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Stephan Kambor-Wiesenberg (cc:by)

Richi Jennings

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 711 posts and counting.See all posts by richi