Simjacker: SIM-based phone hacking

[harlan4096]

Recently, experts at AdaptiveMobile Security discovered a method of attack on mobile phones that can be carried out using a normal computer and a dirt-cheap USB modem. Whereas some older methods of cellular surveillance required special equipment and a telecom operating license, this attack, called Simjacker, takes advantage of a vulnerability found in SIM cards.

It’s all about S@T Browser

Most SIM cards released since the early 2000s, including eSIM, feature a carrier menu. This menu includes tasks such as Balance Check, Recharge, Technical Support, and sometimes extras such as Weather, or even Horoscope, and so on. Old phones had it right in the main menu. iOS buries it deep in the Settings (under SIM Application), and in Android smartphones it’s a standalone app called SIM Toolkit.

The menu is essentially an app — or more precisely, several apps with the general name SIM Toolkit (STK) — but these programs do not run on the phone itself, but on the SIM card. Remember that your SIM card is in fact a tiny computer with its own operating system and programs. STK responds to external commands, such as buttons pressed on the carrier menu, and makes the phone perform certain actions, such as sending SMS messages or USSD commands.

One of the apps included in the STK is called S@T Browser. It is used for viewing Web pages of a certain format and pages located on the carrier’s internal network. For example, S@T Browser can supply information about your account balance.

The S@T Browser app has not been updated since 2009, and although in modern devices its functions are performed by other programs, S@T Browser is still actively used — or at the very least, is still installed on many SIM cards. Researchers have not named specific regions or telcos that sell SIM cards with this app installed, but they claim more than 1 billion people in no fewer than 30 countries use it, and it is in S@T Browser that the abovementioned vulnerability was discovered.

Simjacker attacks

The attack begins with an SMS message containing a set of instructions for the SIM card. Following these instructions, the SIM card queries the mobile phone for its serial number and the Cell ID of the base station in whose coverage zone the subscriber is located, and sends an SMS response with this information to the attacker’s number.

Base station coordinates are known (and even available online), so the Cell ID can be used to determine the location of the subscriber within several hundred meters. Location-based services in particular rely on the same principle for determining location without satellite assistance, for example, indoors or when GPS is turned off.

All fiddling with the hacked SIM card is totally invisible to the user. Neither incoming SMS messages with commands, nor replies with device location data are displayed in the Messages app, so Simjacker victims are likely not even aware that they are being spied on.
...

Continue Reading