It seems as though we can’t escape a single week without hearing about a new widespread security exploit that puts us all at risk. This week, the newly detailed attack taking center stage is called Simjacker, and it was revealed by the folks at AdaptiveMobile Security.
As its name implies, Simjacker works primarily by exploiting the SIM cards that all of our smartphone use. As the researchers explain it, this new exploit represents a “huge jump in complexity and sophistication” in comparison to other attack vectors that have propagated over mobile networks.
Although Simjacker is quite an intricately-executed exploit, we’ll give you a brief overview of how it claims its victims. First of all, the perpetrator sends an SMS “attack message” to a victim which contains SIM Toolkit (STK) instructions. These instructions are specifically crafted to call on the [email protected] Browser embedded in every SIM card. From there the [email protected] Browser can execute code that will force the target smartphone to return information to the attacker.
This information from the target phone is then relayed back to the malicious party in the form of another SMS message. So what data is being relayed back to the perpetrator? According to AdaptiveMobile Security, both IMEI information and location details can be sent via SMS.
And here’s where things get incredibly sneaky and downright frightening. “During the attack, the user is completely unaware that they received the SMS with the Simjacker Attack message, that information was retrieved, and that it was sent outwards in the Data Message SMS – there is no indication in any SMS inbox or outbox,” writes AdaptiveMobile Security.
Interestingly, it is stated that the [email protected] Browser is incredibly outdated and not even as frequently used today as it once was before the prevalence of smartphones. In fact, the researchers point out that the underlying specifications for the software have not been updated in roughly a decade.
Besides obtaining IMEI and location information, this Simjacker attack could also be used to “silently” access the complete STK command set. With these tools at their disposal, attackers could implement DoS attacks, perform espionage campaigns, and even spread malware.
Given the extreme complexity and wide scope of Simjacker’s impact, it is of the opinion of the researchers that it was commissioned by a government entity and developed by a private company for surveillance purposes.
“These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time,” writes AdaptiveMobile Security.
And according to the researchers, Simjacker has been in the wild for over two years. As for what can be done to shutdown this attack vector, it’s being recommended that carriers simply block suspicious messages that carrying [email protected] Browser commands.