Last month, AdaptiveMobile Security researchers described a Simjacker attack that uses SMS messages to send SIM Toolkit (STK) and S @ T Browser instructions on a SIM card. The essence of the attack is that using a smartphone or a simple GSM modem, an attacker sends a special SMS message containing hidden instructions for the SIM Toolkit to the victim’s device. These instructions are supported by the S @ T Browser application running on the device’s SIM card.
Simjacker allows attackers to track user devices, and other commands supported by S @ T Browser include the ability to make calls, send messages, turn off the SIM card, run AT-modem commands, open browsers (with phishing links or opening malicious sites), and much more another. That is, using Simjacker attacks, you can not only monitor users, but also carry out financial fraud (calls to premium numbers), spying (make a call and listen to conversations near the device), sabotage (disabling the victim’s SIM card), and organize misinformation campaigns ( sending SMS / MMS with fake content) and so on.
Ginno Security Labs Now discovered a problemsimilar to that used in the Simjacker attack. Only their attack, WIBattack, involves the operation of the Wireless Internet Browser (WIB), not the S @ T Browser. Both are Java applets that mobile operators install on their SIM cards.
As in the case of S @ T Browser, with the help of WIB, attackers can also send special SMS (called OTA SMS), which will execute STK (SIM Toolkit) instructions on SIM cards if operators do not take care of security.
WIB supports about the same commands as the S @ T Browser: receiving location data, making calls, sending SMS, sending USSD and SS requests, launching a browser with a specific URL, displaying a text message on the device, and so on. As a result, an attacker can not only track users, but also initiate phone calls and listen to conversations nearby.
Researchers write that they discovered WIBattack back in 2015 and then noticed the Simjacker problem (which they called S @ Tattack), but did not publish the results of their research, fearing the consequences. According to their estimates, the number of devices with SIM cards with vulnerable WIB on board is “hundreds of millions”.
However, recently published report SRLabs says that everything is not as scary as it might seem. So, the researchers created two applications: SIMTester and Snoop snitch. The first is designed for desktops and allows you to test SIM cards for vulnerabilities. The second is an Android application that runs on Qualcomm chipset devices and can check phones for various vulnerabilities in SIM cards, mobile networks, and the OS.
Telemetry collected using SIMTest showed that Simjacker and WIBattack are not at all as dangerous as they seem. After checking more than 800 SIM cards from around the world, the researchers concluded that most mobile operators no longer use S @ T Browser and WIB:
- only 9.4% of tested SIM cards have S @ T Browser installed;
- approximately 5.6% of SIM cards are vulnerable to Simjacker because their security level was set to zero;
- 10.7% of SIM cards have WIB installed;
- only 3.5% are vulnerable to attacks on WIB;
- in total, only 9.1% of the tested SIM cards are vulnerable to attacks on the S @ T Browser or WIB.
In addition, data received from more than 500,000 SnoopSnitch users showed that only a small number of users generally receive OTA SMS messages needed to use Simjacker and WIBattack:
- only 8 users received 29 OTA SMS intended for S @ T Browser;
- The first such message is dated 2016;
- Most OTA SMS was intended for users in Latin and South America.
As a result, SRLabs experts conclude that in the context of attacks on mobile networks, Simjacker and WIBattack will be less attractive to criminals, in contrast to attacks on SS7 or social engineering (for example, SIM card swaps and SIM swap attacks).