Millions of smartphones vulnerable to SimJacker mobile phone exploit

Earlier this month, Adaptive Mobile Security released a report on a vulnerability and set of exploits which have since been named SimJacker. Adaptive Mobile Security showed that this attack vector has been used for at least the last two years to hack into target mobile phones. The security firm was able to identify that the SimJacker exploit had been used across multiple countries by a “highly sophisticated threat actor,” and represents a huge leap in complexity over previous mobile phone exploits. Adaptive Mobile emphasized that the discovery of this actively used vulnerability in the wild is absolutely a sign of raised stakes in the arms race between hackers and users. They wrote in their report:

“The Simjacker exploit represent a huge, nearly Stuxnet-like, leap in complexity from previous SMS or SS7/Diameter attacks, and show us that the range and possibility of attacks on core networks are more complex than we could have imagined in the past. Now is the time to make sure that we stay ahead of these attacks in the future.”

On October 3rd, Adaptive Mobile will go more in depth on this topic at the Virus Bulletin Conference in London. The firm has also worked with the GSM and SIM Alliance to get these attack vectors fixed at the Sim card level. Additionally, Adaptive Mobile gave tips to mobile network operators on how to block these attacks – but there’s no guarantee that all of them have implemented these stopgaps while the S&T Browser receives a long overdue security update. That is to say – like with many other discovered vulnerabilities -many people are still vulnerable.

How does SimJacker work?

At its core, SimJacker works by an attacker sending an SMS message to the target containing special code that is then automatically processed by the SIM card which then allows the attacker to take over the phone through the SIM card’s S@T Browser. After the attacker has control of the S&T Browser, they’re able to execute all sorts of actions with simple commands. Adaptive Mobile laid out potential ways that SimJacker could be used against the SIMjacked phone, or other phones:

• Mis-information (e.g. by sending SMS/MMS messages with attacker controlled content)

• Fraud (e.g. by dialling premium rate numbers),

• Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),

• Malware spreading (by forcing a browser to open a web page with malware located on it)

• Denial of service (e.g by disabling the SIM card)

• Information retrieval (retrieve other information like language, radio type, battery level etc.)

The researchers noted that many of these attacks seem to work independent of handset type – meaning the amount of affected phones is in the high millions. Additionally, they hinted that certain models of phones might be even more vulnerable – and will reveal more information on that at the Virus Bulletin Conference.

Even without SimJacker, mobile phones are notoriously vulnerable – especially if you give up physical possession of your phone

SimJacker is so dangerous because it allows for remote execution and can bypass the safeguards on what a target might otherwise reasonably expect to be a secure phone and network. Reasonable only if the target isn’t keeping abreast of the current state of internet privacy and security. At this point in time, it’s almost more rational to automatically be suspicious of closed source hardware and software and use proxies such as past performance to make level-of-trust decisions.

Mobile phones are notoriously easy to break – though exploits range from requiring physical access in cases such as CheckM8 to allowing for remote execution, like with SimJacker. The latter is more dangerous, though both are used to hack into targets’ mobile phones. Physical access exploits are the reason why you should never surrender access to your phone; however, certain border crossings around the world make that impossible. Example border crossings include entering into the United States, or entering China from their eastern border. In the Chinese example, border crossers are forced to install an app on their smartphone which sends all sorts of private information back to the government. No amount of software security will defeat a vector like that, though some OpSec practices such as only crossing borders with dummy phones might. In a world where there are probably other actively used exploits like SimJacker just waiting to be discovered – reviewing one’s OpSec plan is looking pretty good.