Dan Goodin* says hackers have found a way to attack mobile phones by sending commands directly to applications stored on SIM cards.
Hackers are actively exploiting a critical weakness found in most mobile phones to surreptitiously track the location of users and possibly carry out other nefarious actions, researchers have warned.
The so-called Simjacker exploits work across a wide range of mobile devices, regardless of the hardware or software they rely on, researchers with telecom security firm AdaptiveMobile Security said in a post.
The attacks work by exploiting an interface intended to be used solely by mobile carriers so they can communicate directly with the SIM cards inside subscribers’ phones.
The carriers can use the interface to provide specialised services such as using the data stored on the SIM to provide account balances.
Simjacker abuses the interface by sending commands that track the location and obtain the International Mobile Equipment Identity (IMEI) identification code of phones.
They might also cause phones to make calls, send text messages, or perform a range of other commands.
Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, told Ars: “This attack is platform-agnostic, affects nearly every phone, and there is little anyone except your cell carrier can do about it.”
Over the past two years, the researchers said, they have observed devices from “nearly every manufacturer being successfully targeted to retrieve location”.
It also includes those who produce Internet of Things (IoT) products that contain SIM cards.
The attacks were “developed by a specific private company that works with governments to monitor individuals,” the research report said.
The researchers didn’t identify the exploit developer but said it had “extensive access” to core networks.
The attacks are happening to phones in “several” unnamed countries.
The AdaptiveMobile Security report went on to say: “In one country we are seeing roughly 100–150 specific individual phone numbers being targeted per day via Simjacker attacks, although we have witnessed bursts of up to 300 phone numbers attempting to be tracked in a day, the distribution of tracking attempts varies.”
“These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time.”
The attacks work by sending targeted phones an SMS message that contains special formatting and commands that get passed directly to the universal integrated circuit card, which is the computerised smart card that makes modern SIMs work.
According to the report: “The attack relies both on these specific SMS messages being allowed, and the S@T Browser software being present on the UICC [Universal Integrated Circuit Card] in the targeted phone.”
“This S@T Browser software is not well known, is quite old, and its initial purpose was to enable services such as getting your account balance through the SIM card.”
“Globally, its function has been mostly superseded by other technologies … however, like many legacy technologies it is still been used while remaining in the background.”
“In this case, we have observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizeable amount of people are potentially affected.”
“It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards.”
“This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware.”
“This is because it contains a list of instructions that the SIM card is to execute.”
“As software is essentially a list of instructions, and malware is ‘bad’ software, then this could make the Simjacker exploit the first real-life case of malware (specifically spyware) sent within a SMS.”
“Previous malware sent by SMS — such as the incidents we profiled here — have involved sending links to malware, not the malware itself within a complete message.”
The researchers said other commands capable of executing include:
- Play tone
- Send short message
- Set up call
- Send USSD
- Send SS
- Provide local information (including location, battery, network, and language)
- Power off card
- Run at command
- Send DTMF command
- Launch browser
- Open channel (CS bearer, data service bearer, local bearer, UICC server mode, etc.)
- Send data
- Get service information
- Submit multimedia message
- Geographical location request.
The attack reported is similar to one demonstrated in 2013 at the Black Hat security conference in Las Vegas.
“We could trigger the attack only on SIM cards with weak or non-existent signature algorithms, which happened to be many SIM cards at the time,” Karsten Nohl, the Chief Scientist at SRLabs who presented the 2013 findings, told Ars.
“AdaptiveMobile seems to have found a way in which the same attack works even if signatures are properly checked, which is a big step forward in attack research.”
Nohl added that he doubted Simjacker was being widely exploited, since location data is generally not interesting to criminals and other methods exist to track specific targets.
Those methods include SS7 attacks, phone malware, or simply buying the data from mobile networks or app makers who collect it.
In response to the attacks, the SIMalliance — an industry group representing major UUIC makers — issued a new set of security guidelines for cellular carriers.
The recommendations include implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and making changes to the security settings of SIM cards issued to subscribers.
As Nohl noted, snoops have long had a variety of ways to track the location of many cellular devices.
This latest report means that, until carriers implement the SIMalliance recommendations, hackers have another stealthy technique that previously went overlooked.
* Dan Goodin is Security Editor at Ars Technica. He tweets at @dangoodin001.
This article first appeared at arstechnica.com.
