Simjacker: SIM-based phone hacking

Hacked SIM cards allow spying. We explain how and why.

Recently, experts at AdaptiveMobile Security discovered a method of attack on mobile phones that can be carried out using a normal computer and a dirt-cheap USB modem. Whereas some older methods of cellular surveillance required special equipment and a telecom operating license, this attack, called Simjacker, takes advantage of a vulnerability found in SIM cards.

It’s all about S@T Browser

Most SIM cards released since the early 2000s, including eSIM, feature a carrier menu. This menu includes tasks such as Balance Check, Recharge, Technical Support, and sometimes extras such as Weather, or even Horoscope, and so on. Old phones had it right in the main menu. iOS buries it deep in the Settings (under SIM Application), and in Android smartphones it’s a standalone app called SIM Toolkit.

The menu is essentially an app — or more precisely, several apps with the general name SIM Toolkit (STK) — but these programs do not run on the phone itself, but on the SIM card. Remember that your SIM card is in fact a tiny computer with its own operating system and programs. STK responds to external commands, such as buttons pressed on the carrier menu, and makes the phone perform certain actions, such as sending SMS messages or USSD commands.

One of the apps included in the STK is called S@T Browser. It is used for viewing Web pages of a certain format and pages located on the carrier’s internal network. For example, S@T Browser can supply information about your account balance.

The S@T Browser app has not been updated since 2009, and although in modern devices its functions are performed by other programs, S@T Browser is still actively used — or at the very least, is still installed on many SIM cards. Researchers have not named specific regions or telcos that sell SIM cards with this app installed, but they claim more than 1 billion people in no fewer than 30 countries use it, and it is in S@T Browser that the abovementioned vulnerability was discovered.

Simjacker attacks

The attack begins with an SMS message containing a set of instructions for the SIM card. Following these instructions, the SIM card queries the mobile phone for its serial number and the Cell ID of the base station in whose coverage zone the subscriber is located, and sends an SMS response with this information to the attacker’s number.

Base station coordinates are known (and even available online), so the Cell ID can be used to determine the location of the subscriber within several hundred meters. Location-based services in particular rely on the same principle for determining location without satellite assistance, for example, indoors or when GPS is turned off.

All fiddling with the hacked SIM card is totally invisible to the user. Neither incoming SMS messages with commands, nor replies with device location data are displayed in the Messages app, so Simjacker victims are likely not even aware that they are being spied on.

Who did Simjacker hit?

According to AdaptiveMobile Security, spies have been tracking the location of people in several unspecified countries. And in one of them, about 100–150 numbers are compromised every day. Typically, requests are sent no more than once a week; however, some victims’ movements are monitored far more closely — the research team noticed that several recipients were sent several hundred malicious SMS messages per week.

Simjacker-type attacks can go a lot further

As the researchers noted, the cybercriminals did not use all SIM card capabilities possible with S@T Browser. For example, SMS can be used to make the phone call any number, send messages with random text to arbitrary numbers, open links in the browser, and even disable the SIM card, leaving the victim effectively phoneless.

The vulnerability opens up numerous potential attack scenarios — criminals can transfer money by SMS to a bank number, call premium-rate short numbers, open phishing pages in the browser, or download Trojans.

The vulnerability is particularly dangerous because it does not depend on the device on which the vulnerable SIM card is inserted; the STK command set is standardized and supported by all phones and even IoT devices with a SIM. For some operations, such as making a call, some gadgets request user confirmation, but many do not.

How can a user prevent Simjacker attacks?

Unfortunately, no stand-alone method exists for users to stop SIM card attacks. It is the duty of mobile carriers to ensure their customers’ security. Above all, they should avoid using outdated SIM menu apps, as well as block SMS code containing dangerous commands.

But there’s some good news. Although no expensive hardware is necessary to perform the attack, it does require fairly in-depth technical knowhow and special skills, which means that the method is not likely to be deployed by every cybercriminal and his dog.

What’s more, the researchers notified the developer of S@T Browser, SIMalliance, of the vulnerability. In response, the company issued a set of security guidelines for carriers that use the app. The Simjacker attacks were also reported to the GSM Association, an international organization that represents the interests of mobile carriers all over the world. So it is hoped that companies will take all necessary protective measures at the earliest opportunity.