SimJacker is a SIM card vulnerability that allows cybercriminals to compromise any cell phone and spy on victims by simply sending an SMS text message.
What is SimJacker?
The SimJacker vulnerability has been dubbed to recall cyber attacks conducted using browser hijacker malware, which allows criminal hackers to change browser settings and redirect the user to malicious websites to gain profit from the increase in traffic and the consequent popularity.
In the case of SimJacker, the over-the-air communications of unsuspecting mobile phone users are being hijacked.
The attack starts with an SMS message containing a series of instructions for the SIM card.
By following these instructions, the SIM asks the mobile phone for the serial number and Cell ID of the base station to which the user connects, sending an SMS reply with this information to the number of the cybercriminal.
The coordinates of the base station are known (and even available online), so the Cell ID can be used to determine the user’s position within a radius of several hundred meters.
Location-based services (LBS) are based on the same principle for determining your position without satellite assistance, for example indoors or when the GPS is turned off.
All these details, with a hacked SIM card, are totally invisible to the user.
Neither incoming SMS messages with commands nor responses with device location data are displayed in the Messages app, so SimJacker victims probably don’t even realize they’ve been spied on.
How the attack happens
According to what was reported in the AdaptiveMobile Security report, to exploit the SimJacker vulnerability to criminal hackers, a GSM modem (easily purchased on the Internet for just under 10 euros) is enough to allow them to perform various activities on the victim’s target phone simply by sending of an SMS used as spyware.
In particular, a possible attacker would be able to:
• identify the device location and obtain information on its IMEI code;
• send false messages in the victim’s name;
• steal money from the victim by dialing premium-rate numbers;
• spy on what is happening around the victim by giving instructions to the device
• promised to initiate a “silent” call to the attacker’s phone;
• spreading malware by forcing the victim’s phone browser to connect to a malicious web page;
• disable the SIM card by performing a sort of DoS attack against the victim’s phone;
• retrieve phone system information such as default language, connection type, battery level, and so on.
All operations that, unfortunately for the victim on duty, are carried out without his knowledge.
SimJacker: who are the victims?
According to AdaptiveMobile Security, the location of several people in unspecified countries was monitored.
And in each of these countries, about 100-150 numbers are compromised per day.
Typically, requests are not sent more than once a week, although some victims’ movements are monitored much more closely.
AdaptiveMobile Security’s research team noted that several hundred malicious SMS messages were sent to various recipients per week.
Attacks like SimJacker can go much further
As the researchers noted, cybercriminals did not use all possible SIM card features with S@T Browser.
For example, SMS can be used to call any number, send random text messages to random numbers, open links in the browser and even disable the SIM card, depriving the victim of the opportunity to use the phone.
The vulnerability opens up numerous potential attack scenarios: criminals can transfer money via SMS, call premium numbers, open phishing pages with the browser or download Trojans.
The vulnerability is particularly dangerous because it does not depend on the device on which the SIM card is inserted.
The STK command set is standardized and supported by all phones and even IoT devices with SIM.
For some operations (such as making a call), some devices require user confirmation, but in many cases this is not the case.
How to prevent a SimJacker attack?
Unfortunately, there is no method in itself to stop SimJacker attacks.
However, while expensive hardware is not required to carry out the attack, it requires fairly important technical knowledge and skills, which means that this method is unlikely to be used by just any cybercriminal.