The main Simjacker attack involves a SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands, exploiting the presence of a particular piece of software, called the S@T Browser on the SIM card.

The vulnerability and its associated attacks have been named Simjacker as it involves the hijacking of SIM cards and threatens mobile phone users across the globe.

How does the attack work?

At a high level, the vulnerability works by leveraging a GSM modem available for as cheap as $10 to send malicious messages to handsets that still use the S@T browser functionality in order to trigger specially crafted STK commands.

The SMS is not the regular kind, but another flavor called Binary SMS that’s used to deliver rich-content, such as ringtones, telephone system settings and WAP push text messages.

The device, upon receiving the SMS, blindly passes on the message to the SIM card without bothering to check its origin, following which the SIM card uses the S@T browser to execute the command including requesting location and device information such as IMEI numbers.

“During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated,” the researchers said.

While the primary attack detected involved the retrieval of mobile phone locations, the scope of Simjacker has considerably widened to “perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage.”

SIMalliance, for its part, has rolled out fresh recommendations to cellular carriers to implement additional security for S@T push messages by filtering such illegitimate binary SMSes.

 

This technique allows an attacker to retrieve user location, but also allows remote malicious users to execute STK commands, like:

  • PLAY TONE
  • SEND SHORT MESSAGE
  • SET UP CALL
  • SEND USSD
  • SEND SS
  • PROVIDE LOCAL INFORMATION
    • Location Information, IMEI, Battery, Network, Language, etc
  • POWER OFF CARD
  • RUN AT COMMAND
  • SEND DTMF COMMAND
  • LAUNCH BROWSER
  • OPEN CHANNEL
    • CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
  • SEND DATA
  • GET SERVICE INFORMATION
  • SUBMIT MULTIMEDIA MESSAGE
  • GEOGRAPHICAL LOCATION REQUEST

These commands could be used by an attacker to fulfill such purposes as:

  • Mis-information (e.g. by sending SMS/MMS messages with attacker-controlled content)
  • Fraud (e.g. by dialing premium-rate numbers),
  • Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
  • Malware spreading (by forcing a browser to open a web page with malware located on it)
  • Denial of service (e.g. by disabling the SIM card)
  • Information retrieval (retrieve other information like language, radio type, battery level, etc.)

For more Information about cybersecurity contact us at help@theweborion.com