Skip to main content

The SimJacker

AdaptiveMobile Security has uncovered a serious mobile vulnerability in SIM cards that is putting nearly a billion phone users at risk. That’s right, one billion globally, and the attacks are being initiated by simple SMS messages.

Named "Simjacker" by the researchers, this critical vulnerability is ringing alarm bells across the globe as cell phone users in up to 30 countries are potential victims. Spanning throughout the Middle East, South America, and Africa, mobile phone users everywhere are susceptible. As we in the U.S. use different carriers, there is a decreased risk for the majority of our population to be hit with the SimJacker. 

What is it?

SimJacker is a cybersecurity gap deep in the SIM software. The vulnerability is in an application that comes installed on various SIM cards, called the ‘[email protected] Browser’. This app was originally designed to allow mobile carriers to offer basic services and subscriptions over-the-air to their customers. 

[email protected] Browser contains a series of automated instructions (STKs) which can be activated by sending an SMS to the device. The software then opens a gateway to provide an environment for malicious commands.

 AdaptiveMobile claims that private companies could have been actively exploiting Simjacker for the past two years for the purposes of cell phone surveillance. There are also claims that SimJacker is currently being used for government spying and targeted surveillance on cell phone users across several countries. Obviously, no one has owned up to it.

How does it work?

The critical vulnerability can be used in several ways just by sending an SMS containing a spyware code and we regret to say, users don’t need to open or read the SMS – the cell phone just needs to receive it. The user is completely unaware that they received the attack. 

Once the SMS is sent, the hacker is able to gain knowledge on device location and the unique number of the phone. Additionally, the hacker or spy is then able to take control of multiple functions on the phone such as sending fake SMS from the cell phone, spreading malware from the device, dialing premium rate numbers, performing DDoS attacks, and retrieving data on language battery and other device specific data.

The story so far

We know at this point that the location of thousands of devices has been obtained without the consent of the targeted cell phone users. We also know that the attack messages carry a full malware payload which is categorically spyware. Finally, we know that it works with almost every phone manufacturer including Apple, Motorola, Samsung, Google, and extends to other IoT devices that contain SIM cards.

This may mean that your dishwasher isn’t safe.

In all seriousness though, we don’t know the full fallout yet, but we see the danger ahead as government actors worldwide and hackers are investing more and more in innovative ways to disrupt network security.