Simjacker

Last updated

Simjacker is a cellular software exploit for SIM Cards discovered by AdaptiveMobile Security. [1] 29 countries are vulnerable according to ZDNet. [2] The vulnerability has been exploited primarily in Mexico, but also Colombia and Peru, according to the Wall Street Journal , [3] where it was used to track the location of mobile phone users without their knowledge.

Contents

History

The vulnerability was discovered and reported to the GSM Association through its Coordinated Vulnerability Disclosure process by Cathal Mc Daid of AdaptiveMobile Security in 2019. [4] It was first reported publicly on 12 September 2019. [5] A technical paper and presentation was made available at the VirusBulletin conference on 3 October 2019. [6] [7]

Technical information

The attack works by exploiting a vulnerability in a UICC/SIM Card library called the S@T Browser. [8] A specially formatted binary text message is sent to the victim handset, which contains a set of commands to be executed by the S@T Browser environment in the UICC. As the S@T Browser environment has access to a subset of SIM Toolkit commands, the attackers used this vulnerability to instruct the UICC to request IMEI and location information from the handset via SIM Toolkit commands. Once this was obtained the UICC then instructs the handset to exfiltrate this information to the attackers within another text message. Other types of attacks are also possible using the S@T Browser, such as forcing a mobile device to open a webpage or to make a phone call. [9]

The attack differed from previously reported SIM Card attacks as those required the SIM key to be obtained. [10] The Simjacker attack does not require a SIM key, only that the SIM Card has the S@T Browser library installed on it, and that the binary messages containing the S@T Browser commands can be sent to the victim.

Simjacker was registered in the Common Vulnerabilities and Exposures database as CVE-2019-16256 [11] and CVE-2019-16257, [12] and by the GSM Association in its Coordinated Vulnerability Disclosure process as CVD-2019-0026 [13]

Impact

The vulnerability was estimated to affect UICCs in at least 61 mobile operators in 29 countries, with estimates between a few hundred million to over a billion [14] SIM cards affected. The researcher reported that the most probable, conservative estimate is that mid to high hundreds of millions of SIM Cards globally are affected. [15]

The vulnerability was being actively exploited primarily in Mexico, with thousands of mobile phone users being tracked by a surveillance company over the previous 2 years using this exploit. [16]

Mitigation

Mobile phone users can use a tool from SRLabs to see if their SIM Card is vulnerable. [17]

Related Research Articles

<span class="mw-page-title-main">SIM card</span> Integrated circuit card for a mobile device

A SIMcard is an integrated circuit (IC) intended to securely store an international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephone devices. Technically the actual physical card is known as a universal integrated circuit card (UICC); this smart card is usually made of PVC with embedded contacts and semiconductors, with the SIM as its primary component. In practice the term "SIM card" is still used to refer to the entire unit and not simply the IC.

<span class="mw-page-title-main">Near-field communication</span> Radio communication established between devices by bringing them into proximity

Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 centimetres (1.6 in) or less. NFC offers a low-speed connection through a simple setup that can be used for the bootstrapping of capable wireless connections. Like other proximity card technologies, NFC is based on inductive coupling between two electromagnetic coils present on a NFC-enabled device such as a smartphone. NFC communicating in one or both directions uses a frequency of 13.56 MHz in the globally available unlicensed radio frequency ISM band, compliant with the ISO/IEC 18000-3 air interface standard at data rates ranging from 106 to 848 kbit/s.

<span class="mw-page-title-main">International Mobile Equipment Identity</span> Cellphone identification code

The International Mobile Equipment Identity (IMEI) is a numeric identifier, usually unique, for 3GPP and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone but can also be displayed on-screen on most phones by entering the MMI Supplementary Service code *#06# on the dialpad, or alongside other system information in the settings menu on smartphone operating systems.

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

<span class="mw-page-title-main">Universal integrated circuit card</span> Smart card used to uniquely identify a mobile device on a cellular network

The universal integrated circuit card (UICC) is the smart card used in mobile terminals in 2G (GSM), 3G (UMTS), 4G (LTE), and 5G networks. The UICC ensures the integrity and security of all kinds of personal data, and it typically holds a few hundred kilobytes. The official definition for UICC is found in ETSI TR 102 216, where it is defined as a "smart card that conforms to the specifications written and maintained by the ETSI Smart Card Platform project". In addition, the definition has a note that states that "UICC is neither an abbreviation nor an acronym". NIST SP 800-101 Rev. 1 and NIST Computer Security Resource Center Glossary state that, "A UICC may be referred to as a SIM, USIM, RUIM or CSIM, and is used interchangeably with those terms", though this is an over-simplification. The primary component of a UICC is a SIM card.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

<span class="mw-page-title-main">Mobile phone feature</span> Mobile phone capability or application

A mobile phone feature is a capability, service, or application that a mobile phone offers to its users. Mobile phones are often referred to as feature phones, and offer basic telephony. Handsets with more advanced computing ability through the use of native code try to differentiate their own products by implementing additional functions to make them more attractive to consumers. This has led to great innovation in mobile phone development over the past 20 years.

The Open Mobile Terminal Platform (OMTP) was a forum created by mobile network operators to discuss standards with manufacturers of mobile phones and other mobile devices. During its lifetime, the OMTP included manufacturers such as Huawei, LG Electronics, Motorola, Nokia, Samsung and Sony Ericsson.

SIM Application Toolkit (STK) is a standard of the GSM system which enables the subscriber identity module to initiate actions which can be used for various value-added services. Similar standards exist for other network and card systems, with the USIM Application Toolkit (USAT) for USIMs used by newer-generation networks being an example. A more general name for this class of Java Card-based applications running on UICC cards is the Card Application Toolkit (CAT).

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP).

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005. It succeeded three existing lines of popular Cisco products:

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

eSIM Programmable SIM card embedded into a device

An eSIM (embedded-SIM) is a form of SIM card that is embedded directly into a device. Instead of an integrated circuit located on a removable SIM card, typically made of PVC, an eSIM consists of software installed onto an eUICC chip permanently attached to a device. If the eSIM is eUICC-compatible, it can be re-programmed with new SIM information. Otherwise, the eSIM is programmed with its ICCID/IMSI and other information at the time it is manufactured, and cannot be changed. Different mobile telephones may not support an eSIM, may have a permanently programmed, unchangeable one, or one that can be reprogrammed for any carrier that supports the technology. Phones may support physical SIMs only, eSIM only, or both.

Remote SIM provisioning is a specification realized by GSMA that allows consumers to remotely activate the subscriber identity module (SIM) embedded in a portable device such as a smart phone, smart watch, fitness band or tablet computer. The specification was originally part of the GSMA's work on eSIM and it is important to note that remote SIM provisioning is just one of the aspects that this eSIM specification includes. The other aspects being that the SIM is now structured into "domains" that separate the operator profile from the security and application "domains". In practise "eSIM upgrade" in the form of a normal SIM card is possible or eSIM can be included into an SOC. The requirement of GSMA certification is that personalisation packet is decoded inside the chip and so there is no way to dump Ki, OPc and 5G keys. Another important aspect is that the eSIM is owned by the enterprise, and this means that the enterprise now has full control of the security and applications in the eSIM, and which operators profiles are to be used.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span> German IT security specialist and penetration tester

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."

eUICC refers to the architectural standards published by the GSM Association (GSMA) or implementations of those standard for eSIM, a device used to securely store one or more SIM card profiles, which are the unique identifiers and cryptographic keys used by cellular network service providers to uniquely identify and securely connect to mobile network devices. Applications of eUICC are found in mobile network devices that use GSM cellular network eSIM technology.

<span class="mw-page-title-main">Workz</span>

Workz is a technology company specialized in eSIM and cloud-based services. The company is headquartered in Dubai, UAE and is a regional supplier in the Middle East and Africa.

References

  1. Goodin, Dan (2019-09-12). "Hackers are exploiting a platform-agnostic flaw to track mobile phone locations". Ars Technica. Retrieved 2021-03-15.
  2. Cimpanu, Catalin. "These are the 29 countries vulnerable to Simjacker attacks". ZDNet. Retrieved 2021-03-15.
  3. Olson, Parmy (2019-09-13). "Hackers Use Spyware to Track SIM Cards". Wall Street Journal. ISSN   0099-9660 . Retrieved 2021-07-28.
  4. "GSMA Mobile Security Research Acknowledgements". Security. Retrieved 2021-07-28.
  5. "Simjacker – Next Generation Spying Over Mobile | Mobile Security News | AdaptiveMobile". blog.adaptivemobile.com. 11 September 2019. Retrieved 2021-07-28.
  6. "Simjacker Technical Paper". www.adaptivemobile.com. Retrieved 2021-07-28.
  7. "Virus Bulletin :: Simjacker - the next frontier in mobile espionage". www.virusbulletin.com. Retrieved 2021-07-28.
  8. "Simjacker - Frequently Asked Questions and Demos | Mobile Security News | AdaptiveMobile". blog.adaptivemobile.com. 11 September 2019. Retrieved 2021-07-28.
  9. "Virus Bulletin :: Simjacker - the next frontier in mobile espionage". www.virusbulletin.com. Retrieved 2021-07-28.
  10. Black Hat 2013 - Rooting SIM Cards , retrieved 2021-07-28
  11. "NVD - CVE-2019-16256". nvd.nist.gov. Retrieved 2021-07-28.
  12. "NVD - CVE-2019-16257". nvd.nist.gov. Retrieved 2021-07-28.
  13. "GSMA Mobile Security Research Acknowledgements". Security. Retrieved 2021-07-28.
  14. September 2019, Anthony Spadafora 13 (2019-09-13). "Simjacker attack could affect a billion smartphones". TechRadar. Retrieved 2021-07-28.{{cite web}}: CS1 maint: numeric names: authors list (link)
  15. "Simjacker - VB2019 Presentation" (PDF).
  16. "Majority of Simjacker Attacks Aimed at Mobile Phones in Mexico | SecurityWeek.Com". www.securityweek.com. Retrieved 2021-07-28.
  17. "New SIM attacks de-mystified, protection tools now available". www.srlabs.de. Retrieved 2021-07-28.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.