In recent months we have seen nation-state sponsored cyberattacks on multiple mobile networks and operators for the prized customer data and communications metadata held within those organizations. In that sense, such attacks are almost a throwback to the days before the over the top operating systems and applications came to dominate. These days, the really core data is held by the tech giants responsible for most of the ways in which we engage and communicate. But now comes a timely reminder of the broader potential to exploit legacy technology with new security and privacy threats. And it feels decidedly old school.
Dubbed Simjacker and discovered by the security research team at AdaptiveMobile Security, the exploit is built around specific codes sent by SMS message to the SIM card on target devices. That SIM card, which let’s remember is the cellular and operator gateway for the device as well as one of its two key identifiers—the other being the device itself, is programmed to capture and forward information to the attacker. Initially that attack focuses on the retrieval of device identity and location, but it can then go further—denial of service and fraudulent calls for example.
According to the security researchers, “the location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users—with the vulnerability exploited for at least the last two years by a highly sophisticated threat actor in multiple countries.” Because this is an attack on the core networking technology within devices, rather than the operating system or hardware of the device itself, the researchers estimate that as many as 1 billion phones might be at risk across all geographies—covering all makes and models. All that’s needed for a device to be vulnerable, is for the SIM to neglect checking “the origin of messages” while “allowing data download via SMS.”
AdaptiveMobile Security says it is “quite confident” that the exploit has been used to spy on individuals, but doesn’t offer more in the way of hints or indications as to who might be behind the technology and the attacks, and whether this is a private company selling its services or a private threat actor aligned with a specific nation-state. The researchers do say they have been working “with customers and the wider industry, including both mobile network operators and SIM card manufacturers to protect mobile phone subscribers.” They also claim that attacks have been blocked and defences bolstered at this new sophisticated method of attack.