Attackers have been monitoring SIM card owners for more than two years with a Simjacker attack

Researchers at AdaptiveMobile Security have described a Simjacker attack that uses SMS messages to send SIM Toolkit (STK) and S @ T Browser instructions on a SIM card. For more than two years, cybercriminals have been monitoring SIM card owners using Simjacker.

Experts have warned that this attack is not just a concept and has been regularly used in reality in the past two years.

“We are confident that this exploit was developed by a specific private company that works with governments to monitor individuals”, – experts write.

AdaptiveMobile experts do not disclose the name of the company carrying out these attacks, and therefore it is unclear whether this problem is used to track criminals or terrorists, or whether it is used to track dissidents, activists and journalists.

According to researchers, the same unnamed company has expanded access to the core network of SS7 and Diameter, and the goals of Simjacker attacks often become victims of attacks through SS7. Apparently, attacks using SS7 are a less preferred and fallback option in case Simjacker does not work. The fact is that recently, operators have devoted much more time and energy to protecting their SS7 and Diameter infrastructure, while Simjacker attacks are cheap and easy to execute.

The essence of the attack is that using a smartphone or a simple GSM modem, the attacker sends a special SMS message containing hidden instructions for the SIM Toolkit to the victim’s device. The S @ T Browser application running on the device’s SIM card supports these instructions.

Read also: Phone numbers of 419 million Facebook users leaked to the Network

STK and S @ T Browser are old technologies supported by many mobile networks and SIM cards. With their help, you can perform various actions on the device, for example, launch a browser, play sound or show pop-ups. Previously, mobile operators often used this to send users promotional offers or billing information.

The Simjacker attack implies that the attacker abuses this mechanism and orders the victim’s device to send location data and IMEI, which the SIM card will send in an SMS message to a third-party device, and the attacker will eventually be able to find the location of his target. At the same time, the victims of the attack do not see any SMS messages or other signs of compromise. That is, attackers can constantly flood their victims with SMS messages and thus track their location constantly, over long weeks or even months. Since the Simjacker attack is aimed at the SIM card, it does not depend on the platform and type of user device.

“We noticed that the devices of almost all manufacturers successfully allow us to find out the user’s location data: Apple, ZTE, Motorola, Samsung, Google, Huawei and even IoT devices with SIM cards”, – the researchers write.

AdaptiveMobile experts note that Simjacker attacks occur in large numbers every day. Most often, phone numbers are tracked several times a day, over a long time.

“The schemes and the number of tracking devices indicate that this is not a large-scale mass tracking operation, but an operation to track a large number of people for various purposes, and the goals and priorities of the operators change over time”, – experts say.

Analysts also note that Simjacker attacks can be easily prevented if operators pay attention to exactly what code works on their SIM cards. The fact is that the S @ T Browser specification has not been updated since 2009, and original functionality, such as receiving information about the account balance via a SIM card, has long been outdated, and other technologies have replaced it. However, the obsolete S @ T Browser is still in use and is present on SIM cards of mobile operators in at least 30 countries of the world. In total, more than one billion people live in these countries, and all of them are at risk of stealth surveillance using Simjacker.

According to Vice Motherboard reporters, Sprint and T-Mobile said their users were not compromised, and AT&T said their US network was immune to such attacks.

Even worse, other commands supported by S @ T Browser include the ability to make calls, send messages, disconnect a SIM card, run AT modem commands, open browsers (with phishing links or opening malicious sites), and much more. That is, using Simjacker attacks, you can not only monitor users, but also carry out financial fraud (calls to premium numbers), spying (make a call and listen to conversations near the device), sabotage (disabling the victim’s SIM card), organize misinformation campaigns (sending SMS / MMS with fake content) and so on.

It should be noted that Simjacker attacks are not such a new phenomenon. For example, information security specialist Bogdan Alecu described the abuse of STK instructions at a theoretical level back in 2011. Then the expert warned that this could be used to send SMS to paid numbers, or create difficulties in receiving regular text messages.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button