In recent months we have seen nation-state sponsored cyberattacks on multiple mobile networks and operators for the prized customer data and communications metadata held within those organizations. In that sense, such attacks are almost a throwback to the days before the over the top operating systems and applications came to dominate. These days, the really core data is held by the tech giants responsible for most of the ways in which we engage and communicate. But now comes a timely reminder of the broader potential to exploit legacy technology with new security and privacy threats. And it feels decidedly old school.
Dubbed Simjacker and discovered by the security research team at AdaptiveMobile Security, the exploit is built around specific codes sent by SMS message to the SIM card on target devices. That SIM card, which let’s remember is the cellular and operator gateway for the device as well as one of its two key identifiers—the other being the device itself, is programmed to capture and forward information to the attacker. Initially that attack focuses on the retrieval of device identity and location, but it can then go further—denial of service and fraudulent calls for example.
According to the security researchers, “the location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users—with the vulnerability exploited for at least the last two years by a highly sophisticated threat actor in multiple countries.” Because this is an attack on the core networking technology within devices, rather than the operating system or hardware of the device itself, the researchers estimate that as many as 1 billion phones might be at risk across all geographies—covering all makes and models. All that’s needed for a device to be vulnerable, is for the SIM to neglect checking “the origin of messages” while “allowing data download via SMS.”
AdaptiveMobile Security says it is “quite confident” that the exploit has been used to spy on individuals, but doesn’t offer more in the way of hints or indications as to who might be behind the technology and the attacks, and whether this is a private company selling its services or a private threat actor aligned with a specific nation-state. The researchers do say they have been working “with customers and the wider industry, including both mobile network operators and SIM card manufacturers to protect mobile phone subscribers.” They also claim that attacks have been blocked and defences bolstered at this new sophisticated method of attack.
The DNA of an attack is relatively simple, beginning with SIM Toolkit (STK) instructions sent from an SMS sender—handset or cellular device or SMS sending application. And this is why, with all the focus on malware-laced applications and OS-takeovers, this attack feels old school. An outdated technology and an outdated messaging platform combining with long-forgotten industry-standard software that was designed when SIM cards came complete with network-specific controls and applications—if you’re old enough to remember that.
“Like many legacy technologies,” the researchers warn, “it is still being used while remaining in the background.” And, just as we have seen with industrial and IoT firmware issues in the billions of ignored devices surrounding us, such vulnerabilities can now be opened by sophisticated threat actors who can leverage the rudimentary security layers added a lifetime ago.
On receiving the attacker’s SMS, the SIM’s [email protected] Browser becomes an execution environment, engaging with its device as SIMs have done since the industry’s early days. Again, let’s remember this is the advantage of standardization across mobiles—at their core are throwbacks to the basic GSM platforms of old. This code environment then acts as the collection and forwarding agent for the data pulled from the device.
Further SMS messages can be sent from the infected device to the attacker with the information that has been sought and collected. And while SMS messages have been used in the past as a communication layer between malware and operator, the researchers suggest this could be the first real-world example of spyware contained within the SMS itself and the attack occupying this legacy cellular environment.
At no time will the user of the infected device be aware of the attack.
Given the legacy environment in play here, there are limitations on the nature of attacks when compared to software infection of the device itself. Dialling fraudulent numbers, managing network access, retrieval of device data and perhaps triggered endpoint espionage. There is, the researchers say, the potential for a website to be triggered on the device to deliver more complex malware, but that takes the attack out of its core environment and into a more current realm.
Without specific attribution, AdaptiveMobile Security claims to be “quite confident” that the exploit was developed by a private enterprise “that works with governments to monitor individuals.” The private company is described as “a large professional surveillance company, with very sophisticated abilities in both signalling and handsets.” And whatever the mandate of the attackers, individuals have been targeted in “several countries” and attacks have at times been traced to several hundred numbers—read individuals—per day.
There is a clear interest in who is behind this—an attack that leverages technology of old, technology that was not designed to fend off today’s sophistication. And with this genie tipped firmly from its bottle, the implication is that more attacks will follow.
Whatever the provenance of this attack, and again just as with IoT, the job of cleaning up vulnerabilities of old and archaic ecosystems—all well overdue—should now begin.