Experts have warned that this attack is not just a concept and has been regularly used in reality in the past two years. “We are confident that this exploit was developed by a specific private company that works with governments to monitor individuals,” experts write.
AdaptiveMobile experts do not disclose the name of the company carrying out these attacks, and therefore it is unclear whether this problem is used to track criminals or terrorists, or whether it is used to track dissidents, activists and journalists.
According to researchers, the same unnamed company has expanded access to the core network of SS7 and Diameter, and the goals of Simjacker attacks often become victims of attacks through SS7. Apparently, attacks using SS7 are a less preferred and fallback option in case Simjacker does not work. The fact is that recently, operators have devoted much more time and energy to protecting their SS7 and Diameter infrastructure, while Simjacker attacks are cheap and easy to execute.
The essence of the attack is that using a smartphone or a simple GSM modem, the attacker sends a special SMS message containing hidden instructions for the SIM Toolkit to the victim’s device. These instructions are supported by the S @ T Browser application running on the device’s SIM card.
STK and S @ T Browser are old technologies supported by many mobile networks and SIM cards. With their help, you can perform various actions on the device, for example, launch a browser, play sound or show pop-ups. Previously, mobile operators often used this to send users promotional offers or billing information.
The Simjacker attack implies that the attacker abuses this mechanism and orders the victim’s device to send location data and IMEI, which the SIM card will send in an SMS message to a third-party device, and the attacker will eventually be able to find the location of his target. At the same time, the victims of the attack do not see any SMS messages or other signs of compromise. That is, attackers can constantly flood their victims with SMS messages and thus track their location constantly, over long weeks or even months. Since the Simjacker attack is aimed at the SIM card, it does not depend on the platform and type of user device.
“We noticed that the devices of almost all manufacturers successfully allow us to find out the user's location data: Apple, ZTE, Motorola, Samsung, Google, Huawei and even IoT devices with SIM cards,” the researchers write.
AdaptiveMobile experts note that Simjacker attacks occur in large numbers every day. Most often, phone numbers are tracked several times a day, over a long period of time.
“The schemes and the number of tracking devices indicate that this is not a large-scale mass tracking operation, but an operation to track a large number of people for various purposes, and the goals and priorities of the operators change over time,” experts say.
Analysts also note that Simjacker attacks can be easily prevented if operators pay attention to exactly what code works on their SIM cards. The fact is that the S @ T Browser specification has not been updated since 2009, and the original functionality, such as receiving information about the account balance via a SIM card, has long been outdated, and other technologies have replaced it. However, the obsolete S @ T Browser is still in use and is present on SIM cards of mobile operators in at least 30 countries of the world. In total, more than one billion people live in these countries, and all of them are at risk of stealth surveillance using Simjacker.
According to the journalists of the publication Vice motherboard, Sprint and T-Mobile said their users weren’t hurt, and AT&T said their US network was immune to such attacks.
Even worse, other commands supported by S @ T Browser include the ability to make calls, send messages, disconnect a SIM card, run AT modem commands, open browsers (with phishing links or opening malicious sites), and much more. That is, using Simjacker attacks, you can not only monitor users, but also carry out financial fraud (calls to premium numbers), spying (make a call and listen to conversations near the device), sabotage (disabling the victim’s SIM card), and organize misinformation campaigns ( sending SMS / MMS with fake content) and so on.
It should be noted that Simjacker attacks are not such a new phenomenon. For example, the abuse of STK instructions at a theoretical level was described back in 2011 by information security specialist Bogdan Alecu. Then the expert warned that this can be used to send SMS to paid numbers, or create difficulties in receiving regular text messages. A similar attack was also demonstrated in 2013. at the BlackHat conference.