Simjacker silent phone hack could affect a billion users

The shadowy world of phone-surveillance-for-hire became a little clearer last week following the discovery of a phone exploit called Simjacker.

The exploit, discovered by mobile carrier security company ActiveMobile Security, allows attackers to remotely exploit a phone simply by sending a text message. From the report:

The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.

The message won’t even display to the user, it said. Furthermore, because the attack is independent of phone brand, around a billion phone users are vulnerable.

AdaptiveMobile Security found people using the exploit, which researchers speculated about as far back as 2011. In a report on the technology, the company said:

We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated attacker group.

The attack works using a legacy browser technology embedded in the SIM card on many mobile phones. Called the S@T Browser, it is normally used for browsing through the phone’s SIM card, but it can also receive specially crafted messages sent by the carrier network. These are not regular messages; they’re binary code, used to process special instructions.

The browser was normally used to send things like promotional messages but the attackers used it to process invisible requests for the phone’s location data and its International Mobile Equipment Identity (IMEI), which is an ID unique to every mobile phone. They’d send a message to the S@T browser asking it for this information, which it would then retrieve and store on the SIM card. The attacker could then retrieve it by sending another message.

The S@T browser is a great tool for attacking a phone via SMS message because the specially crafted messages it receives don’t alert the user in any way. The request, and the phone’s response, is silent. This means attackers can use it to spy on a phone’s user by sending messages repeatedly to the phone, requesting its location without them being any the wiser.

AdaptiveMobile Security used its own threat analytics system to correlate the pattern of the attack with the attackers already in its database, and appears to have found a hit. It continued:

… we can say with a high degree of certainty, that the source is a large professional surveillance company, with very sophisticated abilities in both signalling and handsets.

The group has also tested other attacks using the same mechanism, including spreading malware and call interception.

Phone surveillance is becoming big business, with several companies offering to hack high-profile targets. While these solutions are usually sold as crime-fighting or anti-terrorism technologies there have been concerns that some governments are using them for human rights abuses.

Now that AdaptiveMobile has shone a light on Simjacker, it’s up to carriers to fix the problem, it warned. The exploit works because many operators aren’t checking the source of these binary messages. They could block it by configuring the firewall technology in their networks, it advised.