A security firm has disclosed a disturbing vulnerability in SIM cards that can be exploited to track a phone's location, and potentially take over the device. But the hacking danger may be overblown, at least in the US; an industry trade group says most customers are not affected.
The reported vulnerability, dubbed "SimJacker," deals with old software tech in SIM cards called the S@T Browser, which was last updated in 2009. On Thursday, security firm AdaptiveMobile published a report, which said you can send a specially crafted SMS message to hijack the S@T Browser on a victim's phone to execute computer code.
What makes the attack scary is how the SMS messages can be designed to request and then retrieve location data from the victim's phone in secret. None of the incoming SMS messages will appear in the owner's inbox. The same vulnerability can also be used to launch the mobile browser on the phone, and direct the owner to download malware. To send off the SMS messages, the attacker needs a phone, a GSM modem, or an SMS account at an A2P (application-to-person) provider.
The claims have been raising alarms in the IT security community. According to AdaptiveMobile, mobile operators in at least 30 countries are using the S@T protocol, putting up to a billion people at risk. "We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards," researcher Cathal McDaid said in the report.
However, the trade body that represents mobile carriers across the world, the GSMA, is downplaying the risks. Although AdaptiveMobile notified the group about the flaw, the GSMA said only "a minority" number of SIM cards are vulnerable.
"This research specifically considers SIM cards which make use of a technology not used by most mobile operators," the GSMA told PCMag in an email. "The potential vulnerability is understood to not be widespread and mitigations have been developed for affected mobile networks to implement."
AT&T and Sprint told PCMag they don't use the affected technology on their SIM cards. Verizon says, "We have no indication to believe this impacts Verizon." T-Mobile has reportedly indicated the same.
AdaptiveMobile is withholding further details about its research until it gives a talk about the findings on Oct. 3 at the Virus Bulletin Conference in London. In the meantime, the company claims that an unnamed private firm has been using the vulnerability for at least two years to help governments spy on individuals. The tracking continues to this day.
"In one country we are seeing roughly 100-150 specific individual phone numbers being targeted per day via Simjacker attacks, although we have witnessed bursts of up to 300 phone numbers attempting to be tracked in a day," McDaid claimed in his report.
AdaptiveMobile provides IT security to mobile carriers using software that can analyze network activity for potential attacks. It explains how the company was able to gather intel on the suspected spying involving the SimJacker flaw. But no mention was made of which 30 countries were affected by the flaw.
AdaptiveMobile says affected carriers can stop the attacks by analyzing and blocking suspicious messages that contain S@T Browser commands. Another option is to drop using the S@T protocol completely.
AdaptiveMobile did not immediately respond to questions about the company's research.