That's Jack Yo - Simjacker attack exploits 1 billion+ SIM cards via hidden SMS messages, active campaigns in progress

[rcmaehl]

Sources:

ArsTechnica (quote source)
AdaptiveMobile (Image source)
Statements from US Carriers

 

Summary:
A flaw in an applet embedded in SIM cards has been actively used in the last 2 years to track users and perform other activities.

 

Media:

 

Quotes/Excerpts:

Quote

Hackers are actively exploiting a critical weakness found in most mobile phones to...track the location of users and...carry out other nefarious actions, researchers warned on Thursday. The...Simjacker exploits work across a wide range of mobile devices, regardless of the hardware or software they rely on, researchers with telecom security firm AdaptiveMobile Security said. The attacks work by exploiting an interface intended to be used solely by cell carriers so they can communicate directly with the SIM cards. Simjacker abuses the interface by sending commands that track the location and obtain the IMEI identification code of phones. They might also cause phones to make calls, send text messages, or perform a range of other commands. Over the past two years, AdaptiveMobile Security researchers said, they have observed devices from “nearly every manufacturer being successfully targeted to retrieve location.” Device makers include Apple, ZTE, Motorola, Samsung, Google, Huawei, and even those who produce Internet-of-things products that contain SIM cards. While basic attacks work on virtually all devices, more advanced variations—such as making a call—would work only on specific phones that don’t require users to confirm they want the call to go through. The attacks were “developed by a specific private company that works with governments to monitor individuals,”  "In one country we are seeing roughly 100-150 specific individual phone numbers being targeted per day via Simjacker attacks, although we have witnessed bursts of up to 300 phone numbers attempting to be tracked in a day, the distribution of tracking attempts varies." The attacks work by sending targeted phones an SMS message that contains special formatting and commands that get passed directly to the universal integrated circuit card, which is the computerized smart card that makes modern SIMs work. The message contains commands for software—called the S@T browser—that runs on the SIM card.  The researchers said other commands UICCs are capable of executing include: 

• PLAY TONE
• SEND SHORT MESSAGE
• SET UP CALL
• SEND USSD
• SEND SS
• PROVIDE LOCAL INFORMATION (including location, battery, network, and language)
• POWER OFF CARD
• RUN AT COMMAND
• SEND DTMF COMMAND
• LAUNCH BROWSER
• OPEN CHANNEL (CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc.)
• SEND DATA
• GET SERVICE INFORMATION
• SUBMIT MULTIMEDIA MESSAGE
• GEOGRAPHICAL LOCATION REQUEST

In response to the attacks, the SIMalliance—an industry group representing major UUIC makers—issued a new set of security guidelines for cellular carriers. The recommendations include:

• Implementing filtering at the network level to intercept and block “illegitimate binary SMS messages” and
• Making changes to the security settings of SIM cards issued to subscribers.

 

My Thoughts:

Anyone that understands the basics of how SIM cards work honestly shouldn't be surprised at this revelation. SIM cards are IN FACT a computer. They have their own processor, storage, and RAM as well as a variety of applications installed, some accessible via the phone and some not. SIM cards are extremely capable of a variety of tasks and should definitely be considered one of the weakest links in a mobile device. Regardless, it does look like some government contractors and other government entities are actively using this exploit. Thankfully, it looks like most US carriers should not be affected... How non-US carriers are affected are yet to be seen.

[rcmaehl]

30 minutes ago, VegetableStu said:

inb4 someone gets one to run minecraft

Minecraft, no.

Atari Basic. Maybe?

[Crowbar]

39 minutes ago, huilun02 said:

How bout make a phone with a GPS and cellular radio killswitch?

Haven't looked into the details in a while but isn't that what the Librem 5 intends to do?

 

Among other things also ship with a linux distro because android is becoming more and more of an over bloated cluster fuck for google to spy on you.

[Suika]

Can't wait for Apple to release a blog post telling their customers that this "only affected a small ethnic group and not 1 billion people," that they "take security very seriously," and that you should continue buying iPhones.

 

I'm curious if anything is going to be done over this, especially in certain countries.

[williamcll]

Is this related to the SIM swapping attacks on twitter recently?

[strajk-]

33 minutes ago, williamcll said:

Is this related to the SIM swapping attacks on twitter recently?

No, that's irrelevant, SIM swapping involves social engineering, not a software/hardware exploit.

[Bananasplit_00]

2 hours ago, Crowbar said:

Haven't looked into the details in a while but isn't that what the Librem 5 intends to do?

 

Among other things also ship with a linux distro because android is becoming more and more of an over bloated cluster fuck for google to spy on you.

Huh, that might end up being my next phone. Seems really nice tbh

[jiyeon]

Awful lot of news recently regarding the security - or lack thereof - in SIM cards recently...

[Beskamir]

On 9/12/2019 at 8:47 PM, VegetableStu said:

inb4 someone gets one to run minecraft

Or doom and skyrim, everything must run doom and skyrim.

[TechyBen]

Defcon did a video on this in like... 2017

 

[Murasaki]

On 9/13/2019 at 5:50 AM, Schnoz said:

new command added: fly to mars

 

[The King of the Undead]

can't get simjacked without a sim card.

[DrMacintosh]

On 9/12/2019 at 10:06 PM, huilun02 said:

How bout make a phone with a GPS and cellular radio killswitch?

You mean Airplane mode?