The shadowy world of phone-surveillance-for-hire became a little clearer last week following the discovery of a phone exploit called Simjacker.
The exploit, discovered by mobile carrier security company ActiveMobile Security, allows attackers to remotely exploit a phone simply by sending a text message. From the report:
The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands.
The message won’t even display to the user, it said. Furthermore, because the attack is independent of phone brand, around a billion phone users are vulnerable.
AdaptiveMobile Security found people using the exploit, which researchers speculated about as far back as 2011. In a report on the technology, the company said:
We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated attacker group.
The attack works using a legacy browser technology embedded in the SIM card on many mobile phones. Called the S@T Browser, it is normally used for browsing through the phone’s SIM card, but it can also receive specially crafted messages sent by the carrier network. These are not regular messages; they’re binary code, used to process special instructions.
The browser was normally used to send things like promotional messages but the attackers used it to process invisible requests for the phone’s location data and its International Mobile Equipment Identity (IMEI), which is an ID unique to every mobile phone. They’d send a message to the S@T browser asking it for this information, which it would then retrieve and store on the SIM card. The attacker could then retrieve it by sending another message.
The S@T browser is a great tool for attacking a phone via SMS message because the specially crafted messages it receives don’t alert the user in any way. The request, and the phone’s response, is silent. This means attackers can use it to spy on a phone’s user by sending messages repeatedly to the phone, requesting its location without them being any the wiser.
AdaptiveMobile Security used its own threat analytics system to correlate the pattern of the attack with the attackers already in its database, and appears to have found a hit. It continued:
… we can say with a high degree of certainty, that the source is a large professional surveillance company, with very sophisticated abilities in both signalling and handsets.
The group has also tested other attacks using the same mechanism, including spreading malware and call interception.
Phone surveillance is becoming big business, with several companies offering to hack high-profile targets. While these solutions are usually sold as crime-fighting or anti-terrorism technologies there have been concerns that some governments are using them for human rights abuses.
Now that AdaptiveMobile has shone a light on Simjacker, it’s up to carriers to fix the problem, it warned. The exploit works because many operators aren’t checking the source of these binary messages. They could block it by configuring the firewall technology in their networks, it advised.
dhunter
Great! Another mobile OS security bug that my perfectly functional but out-of-date phone will not get an update for. I absolutely despise the treadmill that many smart phone users are forced on to – After a couple of updates (if you’re lucky) phone manufacturers stop delivering OS updates forcing a user to buy a new phone to receive update support for another finite period of time.
Sure if you are competent and understand the in-and-outs of unlocking your phone, burning ROMS etc you can sometimes extend the life of the device but not all phones have ROMs available and most phone users are not knowledgeable enough to do this anyways. I swear, my next phone is going to be so “dumb” that there will be a string trailing behind me everywhere I go.
Paul Ducklin
Thing is, this isn’t a bug in the OS, it’s supposedly a “feature” of the underlying GSM/UMTS phone system, so it may well apply to phones of many eras and “smartnesses”.
Spryte
Yes, we have so many “features” now.
Where’s the button I tap to empty my bank account to some crook’s account?
Or the button to sweep up all my personal information to the Three Letter Acronyms?
Oh! It is already a “feature” I didn’t know about. I just turn it on.
Mahhn
I think you have to download that from goog’s “play” store. Just click on any app there.
Anonymous
‘ I think this type of thing has been going on for a long time these people need to be find and jailed
Paul Ducklin
Maybe we should get to a higher standard of suspicion than “I think” before we start investigating… and perhaps some sort of evidence would be nice before we starting finding people and sticking them in prison?
Steve
Get up on the wrong side of the bed this morning, Paul? I don’t understand what triggered your rather tart response, but it appears that you need a reminder that “sticking them in prison” will not happen unless and until there IS evidence. Such evidence is more than just a nicety, at least in civilized nations.
Paul Ducklin
The OP seemed to forget that – they said that they “think this has been happening for years and therefore someone needs to go to prison”.
It’s that peremptory presumption to which I object – especially given that the article itself is about a report that claims knowledge of, and talks up, a potentially huge problem with PR instead of evidence.
Before we start using this report as “evidence”, let’s wait until the report is out…
J
Wouldn’t an investigation be how you get the ‘more information’?
Steve
But if this is “a SIM thing”, then a SIM-less phone should be invulnerable to this particular technique, no?
Paul Ducklin
Though it seems it is also a S@T thing, so a related attack might be possible on other devices. Like you, I was ready to make that assumption until I figured…
…I should wait for the actual paper to come out. For example, one commenter here suggests that their phone can take a SIM but will work via a CDMA carrier without one, and is wondering if it might be affected even on CDMA. IMO it’s no more unreasonable to assume it “might” be vulnerable than to say that 1,000,000,000 devices with a SIM “might” be, which is pretty much all we have so far.
Robert Flieger
“it’s up to carriers to fix the problem, it warned.”
Any word on when a fix might be available?
Paul Ducklin
Would help if we knew enough detail to evaluate the risk for ourselves – so far, pretty much nothing but announcements.
Steve
Any thoughts on Vess’s Twitter thread here?
He brings up some very valid (to me anyway) points: https://twitter.com/VessOnSecurity/status/1173625466894393344
Paul Ducklin
My personal opinion is, “Nothing to see here until the paper is given at the Virus Bulletin conference.”
If it’s worth a microsite, a logo, a dedicated domain, a video and a lengthy article promoting the forthcoming paper, why not just present the paper and let us decide for ourselves? In other words, more like what Google did with those recent iOS zero days and less like the trailer for a film or an advert offering tickets for a concert.
An article boldly talking up a threat you have spent months researching ought IMO to have some didactic purpose and to help me figure out what to do.
Therefore there is not much point in speculating until the paper appears and we can make informed decisions not only about the level of risk but also about the likely effectiveness of any proposed fixes – and whether we need them ourselves, based on our carrier and our device.
My carrier already knows my IMEI, and basically already knows where I am whenever I have my phone turned on – how else could they get calls to me otherwise? (Vesselin is right that many budget phones have no GPS but that’s IMO a bit of a red herring here, except in respect of precision.)
Just how much does this new issue add to the existing threat model, where a carrier that isn’t protecting my interests properly already has everything it needs to leak location data in bulk to someone else, whether by accident or design?
What isn’t clear is just where the attackers in this case have to be in order to inject their messages, just how “invisible” it really is if they try, and just how many of the 1,000,000,000 devices that “might” be vulnerable actually are. That’s what I am waiting to find out.
Until then…
…don’t really know what am I supposed to think or say.
Mahhn
Well there is only one thing to think and say with limited information to make us expect the worst, in the words of Morbo: DOOM!!!
Ron
Will this affect CDMA subscribers even if their phones are capable of GMS as well? My iPhone is unlocked and can be used with any carrier, but I chose Verizon.
Paul Ducklin
No idea, and I can’t form an opinion based on what has been written so far, no matter that the claims sound both dramatic and confident. (The Titanic was both of those things.)
Therefore I am sitting tight until the very many ‘mights’, ‘coulds’ and ‘maybes’ in the story so far are replaced with something that can usefully be studied, reviewed and tested by other people.
I am attending an event that clashes with Virus Bulletin, but I await feedback from those of my colleagues who will be there – more news if I have it…
Anonymous
Makes sense to me. Thanks.