SIM card exploit could be spying on over 1 billion mobile phone users globally

Researchers at a security firm named AdaptiveMobile Security have issued a report (via TNW) about a new vulnerability nicknamed Simjacker that uses your phone's SIM card to spy on you. Because all makes and models of mobile phones can be used with Simjacker, over 1 billion handsets might be affected globally. The research firm says that it believes the vulnerability was developed by a private company that works with governments to monitor the locations of individuals around the world. The exploit also can help the attackers obtain the unique IMEI number belonging to each phone.

Some SIM cards supplied by GSM carriers contain what is known as the S@T browser found in the SIM Application Toolkit. Once used to launch browsers (like the WAP browsers found on feature phones back in the day), Simjacker sends a binary SMS message to the browser with instructions for it to obtain the location data and IMEI numbers and send the information to an "accomplice device" also using binary SMS. Since smartphones can use HTML browsers, the S@T browser has become obsolete. Despite this fact, AdaptiveMobileSecurity discovered that carriers in 30 countries representing over 1 billion mobile phone users have S@T technology active. That might overstate the actual number of those affected by the exploit since many carriers are no longer using SIM cards equipped with the S@T browser technology.

The report indicated that individuals are being tracked daily by Simjacker with some particular phone numbers being tracked hundreds of times over a seven-day period. The process of spying on a vulnerable handset requires a cheap GSM modem to send a message to a SIM card that contains the S@T browser technology. Using binary SMS, which is not the same as regular text messages, phones can be instructed to collect the requested information and disseminate it to a bad actor. The research report notes that "During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated."

And Simjacker's surveillance activities have now been broadened to "perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage." The only positive thing about this attack is that it relies on older technology that in theory should be phased out. But until the S@T technology is completely removed from all SIM cards, Simjacker remains a threat. And as AdaptiveMobile Security’s chief technology officer Cathal Mc Daid said, "Now that this vulnerability has been revealed, we fully expect the exploit authors and other malicious actors will try to evolve these attacks into other areas."

The GSM Association trade body says that it has been made aware of Simjacker and says that it has worked with the researchers and the mobile industry to learn which SIM cards are affected, and how the malicious messages being sent can be blocked.