Really bad news for today! It was just announced that a new critical vulnerability is present ins SIM cards. If this flaw is leveraged, it could give hackers remote access to mobile phones in order to spy on their victims.
This new cyberattack is known as “SimJacker”, its vulnerability lays in a piece of software, named the S@T Browser or SIMalliance Toolbox Browser.
S@T Browser is an application that comes installed on a variety of SIM cards, including eSIM, as part of SIM Tool Kit (STK) and has been designed to let mobile carriers provide some basic services, subscriptions, and value-added services over-the-air to their customers.
This S@T Browser can be found on most of the SIM cards; many of which are being used by mobile operators in at least 30 countries!
Cybersecurity researchers say that hackers are actively exploiting the SimJacker vulnerability from at least the last two years.
This is how SimJacker works:
The vulnerability can be exploited by anyone using a $10 GSM modem to perform several tasks:
retrieving targeted device’ location and IMEI information
spreading misinformation by sending fake messages on behalf of victims,
performing premium-rate scams by dialing premium-rate numbers,
spying on victims’ by ordering the device to call the hacker’s phone number,
spreading malware by forcing the victim’s phone browser to open a malicious web page
performing a denial of service attacks by disabling the SIM card
retrieving other information like language, radio type, battery level, etc.
The most problematic thing about this cyberattack is that during the exploitation, the victim is completely unaware of it.
Simjacker is also unique because it could carry a complete malware payload, specifically spyware.
Cybersecurity researchers announced that real-cyberattacks against users with devices from nearly every manufacturer, including Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards, have been observed in the wild.
For the moment the SIMalliance has acknowledged the issue and provided recommendations for SIM card manufacturers to implement security for S@T push messages.
Also, mobile operators can protect their users by setting up a process to analyze and block suspicious messages that contain S@T Browser commands.
Unfortunately, as a potential victim, there is nothing much a mobile device user can do, except requesting for a replacement of their SIM that has proprietary cybersecurity mechanisms implemented.
Simjacker represents a clear danger to the mobile operators and subscribers, it is the most sophisticated cyberattack ever seen over core mobile networks.
This terrible event should serve as a wake-up call because as we can clearly see hackers are investing heavily in increasingly complex and creative ways to undermine network security.