In between reports of increasingly sophisticated nation-state sponsored cyberattacks on devices and platforms of all flavours and varieties, the Simjacker news in September was decidedly old school. Exploiting archaic leftover functionality on SIM cards installed in devices worldwide, this malicious attack was reportedly harnessed by a private contractor working on behalf of a government agency to retrieve “location information for thousands of devices—with the vulnerability exploited for at least two years by a highly sophisticated threat actor in multiple countries.”
Discovered by the research team at AdaptiveMobile Security, there was immediate skepticism as to the true vulnerability and likelihood Simjacker had enabled over-the-air attacks as suggested. And if so, what was the true scale of the vulnerability? Now the team at SRLabs has published a report that addresses both the likely scale of the vulnerability and the potential damage that can be achieved by an attack. In doing so, SRLabs confirmed the validity of the Simjacker exploit, and also wrapped in a second, similar exploit disclosed since Simjacker came to light. In combination, they reported that more than 9% of all SIM cards are vulnerable, based on their testing set.
Sounds low? Don’t be deceived—there are now more than 7 billion mobile devices worldwide. Even taking a highly qualified view of the market, the likelihood is that hundreds of millions of devices are susceptible to an over-the-air hack using nothing more than a text message.
Simjacker exploits the SIM card’s S@T Browser, the more recently disclosed WIBattack exploits the Wireless Internet Browser (WIB) app. “SIM cards are small computers inside your mobile phone,” SRLabs explains. “Besides their main role of authenticating you to the network, they run Java applications and can instruct your mobile phone to do various things.” Essentially, both execute code on the SIM that engages with the functionality of the device. And that functionality includes making calls and sendings texts, retrieving location information, even opening a specified link on the browser on the device. Calls and texts can be premium rate. Theoretically a call could also open the device to eavesdrop on its surroundings. Location information can be used to tag, track and locate a target.
SRLabs found that 9.4% of the 800 tested SIMs “have the S@T applet installed,” of which “5.6% are vulnerable to Simjacker,” basically because no security layer has been applied. “10.7% have the WIB applet installed,” of which “3.5% are vulnerable to a Simjacker-style attack against the WIB applet,” which means, in total, 9.1% of tested SIM cards were vulnerable to attacks against either S@T or WIB.”
In disclosing Simjacker, AdaptiveMobile Security claimed to be “quite confident” that the exploit had been used to spy on individuals. The researchers also said they were “quite confident” that the exploit was developed by a private enterprise “that works with governments to monitor individuals… in several countries,” with attacks reaching as many as several hundred numbers—read individuals—per day.
In its research paper, SRLab also wrote that “a few” Simjacker attacks have been reported since 2016 through another SRLab tool called SnoopSnitch. Once installed on a rooted Android phone SnoopSnitch can detect attacks against the device. Conversely, there doesn’t appear to be any evidence that WIBattack has also been exploited in the wild.
This is a solvable problem, with fixes to prevent SIM attacks recommended more than five years ago, “recommendations given by the GSMA and by SRLabs in 2013 and implemented by many, but not most, mobile networks, since then.”
SRLabs advises that the likelihood of an exploit is exceptionally low. And the newer your SIM card, the less likely it is—“none of the most recent SIM cards we tested show the presence of the vulnerable applications or badly chosen security settings.” So, if you have been carrying a SIM for many years from one device to another, it might be a good idea to spend a few bucks and get a new one.