The recent SIMjacker vulnerability represents potentially the most sophisticated attack ever seen on core mobile networks and could extend to over 1 billion mobile phone users globally.
Discovered by AdaptiveMobile Security, SIMjacker is an SMS-based hacking technique and was being used by an unnamed private company working with governments to monitor individuals and gain personal and other information from their phones without the user’s knowledge.
It’s a significant jump in complexity and sophistication compared to previous attacks seen over core mobile networks, and works by sending an SMS containing spyware-like code to users, which then instructs the SIM to take control of the mobile phone.
First, location information of thousands of phones was extracted without the consent or knowledge of users, but it was then extended to perform further attacks, including fraud, scam calls, information leakage, denial of service and espionage. In theory, SIMjacker can gain access to all makes and models of mobile phone that use a specific technology embedded on SIM cards, and gain access to customers’ international mobile subscriber information without being restricted to a single phone platform.
How does SIMjacker work?
An attacking device sends a binary SMS to access the SMS Toolkit and take control of the mobile phone. This binary SMS triggers a S@T Push Message sent from the victim’s device to an attacker’s device to trigger actions on the victim’s device, such as launching websites, playing tones, sending SMS, denying service, service interception, location information, personal info, and more.
The S@T Browser is a kind of software that’s embedded in most SIM cards, and is produced by phone companies in 30 nations. It was originally designed to allow mobile carriers to beam basic functions, such as subscription data or over-the-air updates, to customers. But the hackers in this case have exploited that intent, abusing the protocol to send an SMS to a phone and instructing the device to carry out malicious commands.
That attack is more complex than SS7 signalling attacks as knowledge of the handset ecosystem is required. It bypasses SS7 by attacking via SMS Home routing. Worse, signalling firewalls can also be bypassed if the attack is generated from within the home network.
The Telecom26 solution
Most SIMs are configured with weak security settings that don’t require message signatures, encryption, or checksums. The Telecom26 Vulnerability Protection Solution, however, uses EDGE-based signalling firewalls to evaluate and block any binary messages that contain content-coding characteristics of STK messages, meaning that it can quickly identify and block any internal STK messages that are coming from, or going to, other subscribers on the network.
For external traffic, any traffic containing STK coding will be blocked as content providers generally send text in the form of an A2P message, not STK coding, making it stand out as a threat. Meanwhile, implementation of home routing for all incoming SMS traffic from external connections blocks any STK coding to home subscribers. The solution also offers optional message signatures, encryption and checksums on flagged suspect messages.
Another problem with SIMjacker is that no-one was aware of the breach meaning that it can continue undiscovered. However, the Telecom26 SIM and service defends, alerts and notifies against SS7 and SMS-based vulnerabilities and, as a result, can counter all vulnerabilities in mobile networks, ensuring protection for all networks, users and devices.
Telecom26 provides robust security to help safeguard against multiple threats, offering constant vigilance against known and unknown vulnerabilities. So, if you need to protect your devices and data, you need a partner that goes to the next level in security protection, offering active, dynamic control across all mobile networks. Get in touch to find out how we can protect your personal data, wherever you are.