Hackers are actively exploiting a critical weakness found in most mobile phones to surreptitiously track the location of users and possibly carry out other nefarious actions, researchers warned on Thursday.
The so-called Simjacker exploits work across a wide range of mobile devices, regardless of the hardware or software they rely on, researchers with telecom security firm AdaptiveMobile Security said in a post. The attacks work by exploiting an interface intended to be used solely by cell carriers so they can communicate directly with the SIM cards inside subscribers phones. The carriers can use the interface to provide specialized services such as using the data stored on the SIM to provide account balances.
Simjacker abuses the interface by sending commands that track the location and obtain the IMEI identification code of phones. They might also cause phones to make calls, send text messages, or perform a range of other commands.
“Pretty f***ing bad”
Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, told Ars the threat looked “pretty fucking bad.” He added: “This attack is platform-agnostic, affects nearly every phone, and there is little anyone except your cell carrier can do about it.”
Over the past two years, AdaptiveMobile Security researchers said, they have observed devices from “nearly every manufacturer being successfully targeted to retrieve location.” Device makers include Apple, ZTE, Motorola, Samsung, Google, Huawei, and even those who produce Internet-of-things products that contain SIM cards. While basic attacks work on virtually all devices, more advanced variations—such as making a call—would work only on specific phones that dont require users to confirm they want the call to go through.
The attacks were “developed by a specific private company that works with governments to monitor individuals,” Thursdays report said. The researchers didnt identify the exploit developer but said it had “extensive access” to core networks using both the SS7 and Diameter traffic-routing protocols. In some cases, the attacker exploits widely known weaknesses in SS7 as a fall-back mechanism when Simjacker attacks dont work.
According to Motherboard reporter Joseph Cox, Sprint and T-Mobile said their customers werent vulnerable, and AT&T said its US-based network wasnt affected. Verizon, meanwhile, said it had no indication it was affected either.
The attacks are happening to phones in “several” unnamed countries. Thursdays report went on to say:
In one country we are seeing roughly 100-150 specific individual phone numbers being targeted per day via Simjacker attacks, although we have witnessed bursts of up to 300 phone numbers attempting to be tracked in a day, the distribution of tracking attempts varies. A few phone numbers, presumably high-value, were attempted to be tracked several hundred times over a 7-day period, but most had much smaller volumes. A similar pattern was seen looking at per-day activity, many phone numbers were targeted repeatedly over several days, weeks, or months at a time, while others were targeted as a once-off attack. These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time. The “first use” of the Simjacker method makes sense from this viewpoint, as doing this kind of large volume tracking using SS7 or Diameter methods can potentially expose these sources to detection, so it makes more sense to preserve those methods for escalations or when difficulties are encountered.
The attacks work by sending targeted phones an SMS message that contains special formatting and commands that get passed directly to the universal integrated circuit card, which is the computerized smart card that makes modern SIMs work. The message contains commands for software—called the [email protected] browser—that runs on the SIM card. The commands cause the [email protected] browser to send the location of the unique IMEI of the device in a separate SMS message to a number designated by the attacker.
Heres how Thursdays report explained it:
The attack relies both on these specific SMS messages being allowed, and the [email protected] Browser software being present on the UICC in the targeted phone. Specific SMS messages targeting UICC cards have been demonstrated before on how they could be exploited for malicious purposes. The Simjacker attack takes a different approach, and greatly simplifies and expands the attack by relying on the [email protected] Browser software as an execution environment. The [email protected] (pronounced sat) Browser—or SIMalliance Toolbox Browser to give it its full name—is an application specified by the SIMalliance, and can be installed on a variety of UICC (SIM cards), including eSIMs. This [email protected] Browser software is not well known, is quite old, and its initial purpose was to enable services such as getting your account balance through the SIM card. Globally, its function has been mostly superseded by other technologies, and its specification has not been updated since 2009, however, like many legacy technologies it is still been used while remaining in the background. In this case we have observed the [email protected] protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards.
This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute. As software is essentially a list of instructions, and malware is “bad” software, then this could make the Simjacker exploit the first real-life case of malware (specifically spyware) Read More – Source