Today, cybersecurity researchers revealed a critical flaw in SIM cards that allows an attacker to hijack a mobile phone simply by sending an SMS message. Dubbed “SimJacker,” the flaw is in a particular piece of SIM card called the S@T Browser (a dynamic SIM toolkit) that is embedded in a large majority of SIM cards in at least 30 countries and can be exploited regardless of the manufacturer of the mobile device. The S@T Browser is an application that is pre-installed and is designed to allow mobile carriers to provide some basic services, subscriptions, and other services over the air to their customers. Attackers leveraging the vulnerability are able to send SMS messages to a target without them being able to detect it. The SMS message that the victim receives contains STK (SIM Toolkit) instructions supported by the S@T browser, rather than the phone, which keeps the victim blind to the attack. Though an old technology that previously was used to play sounds on the device and force pop-ups for advertisements, this type of attack is now being leveraged by a major threat actor that has yet to be named. For the past few years, the attacker leveraging this method has been sending and receiving SMS messages from the device without the user knowing, primarily sending SMS messages to a third-party device from the infected device, which the attacker owned. The message included the location of the individual, which was being sent multiple times a day to the attacker. This attack works independently of the device type, meaning anyone with a SIM card could be affected by this and ultimately allowing researchers to see all major device manufacturers falling victim to this attack at some point. The main focus from the attacker was to steal the location data of the user but SimJacker is also capable of sending fake SMS messages from the victim’s device, spreading malware through fake SMS messages, denying mobile device use by disabling the SIM card, and dialing pay-per-minute services.
Analyst Notes
Mobile service providers can mitigate this attack by deploying software that blocks suspicious SMS messages that contains S@T Browser commands. Unfortunately, mobile device users do not have many options except to request a replacement of their SIM card that has proper security mechanisms in place if they are available.