SIM Vulnerability leads to information disclosure via malicious SMS (opens in new tab)

(simjacker.com)

137 pointslejoko6y ago55 comments

55 comments

There's a lot of woo in the press release, but the essense is: they claim to have found an exploit in the SIM Application Toolkit (specifically, in the S@T Browser [SIMalliance Toolbox Browser]), which can be triggered when the SIM processes a SMS which contains some attacker data as a payload, and results in the payload being executed by the SIM. The SIM can request some details from the phone (like Cell ID (rough location) and IMEI) and exfiltrate them (via another SMS).

The SIM Application Toolkit is fairly low-level, so has access to a few other functions, like making calls or opening applications or updating firmware. Whether these functions are permitted by the phone depends on the manufacturer, but they claim that the Cell ID & IMEI functions are widely-supported.

cypres6y ago

Title is misleading. No "hijacking" is taking place, they are obtaining the Cell ID (approximate location) and IMEI info from the phone, by sending it a malicious SMS containing SIM card instructions. Details; https://www.adaptivemobile.com/blog/simjacker-next-generatio...

A better title IMHO; SIM Vulnerability leads to information disclosure via malicious SMS.

farisjarrah6y ago

Seems like a highjack may be possible actually... Here is a list of other things they listed they can do with the simjacker exploit that goes beyond simple data exfiltration:

    > PLAY TONE
    > SEND SHORT MESSAGE
    > SET UP CALL
    > SEND USSD
    > SEND SS
    > PROVIDE LOCAL INFORMATION
    >     Location Information, IMEI, Battery, Network, Language, etc
    > POWER OFF CARD
    > RUN AT COMMAND
    > SEND DTMF COMMAND
    > LAUNCH BROWSER
    > OPEN CHANNEL
    >     CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
    > SEND DATA
    > GET SERVICE INFORMATION
    > SUBMIT MULTIMEDIA MESSAGE
    > GEOGRAPHICAL LOCATION REQUEST

mercora6y ago

running arbitrary AT commands gives lots of potential... i wish they would provide (a lot) more details about their claims :(

1 more reply

akersten6y ago

Why in the world is this API surface even available, and why aren't Google / Apple / handset manufacturers scrambling to patch this?

rocqua6y ago

I guess it is available to the baseband, not the actual iser facing OS.

zenexer6y ago

Google and Apple can't do anything to mitigate this.

Edit: The following is incorrect. SIM cards are self-contained computers. Among other things, they're responsible for encrypting and decrypting communications between your phone and your carrier. This means that a SIM card will see the contents of a message before your OS or other hardware in your phone does. These exploits should work just as well against "dumb" phones as smartphones because they're not attacking the actual phones.

This API exists because SIM cards are self-contained computers; they need a way to communicate with everything else.

2 more replies

lejokoOP6y ago

For me, sending SMS messages on your behalf (without you even knowing) or dialling premium rate numbers is definitely hijacking.

dang6y ago

Ok, we'll go with that title above.

GMLOOKO6y ago

raintrees6y ago

I obtained a low-tech phone for SMS and phone calls. I then turned my Samsung Android back into a PDA by removing the SIM chip.

I explain to my clients when they express astonishment at my low-tech phone that I am protecting their security, as I have the PDA sync with my Exchange Server, where I keep sensitive info to provide them support and I do not allow the low-tech phone to access my Exchange Server.

I also tell them that I had based my decision on the track records of Google, Apple, Verizon, etc. in regards to security.

Nothing is perfect, but at least my attack surface is lessened.

haydn36y ago

Isn't connecting to Microsoft being online? Unless you're running exchange on an OFFLINE, LOCAL NETWORK your outgoing traffic to Google will contain metadata and you're not stopping anything by removing the SIM card other than inconveniencing yourself.

It still calls home, it's still online. Lock down Microsoft and Google's IPs permanently, outbound, on all networks you use or this won't work.

raintrees6y ago

I run my own servers, so no, no connection to Microsoft except for updates.

Google is not involved, my DNS is my own server with the base servers as their lookups, not Google DNS. My PDA only connects over WiFi, since there is no SIM.

So unless Google is purposely getting involved with a WiFi connection to a local, private server, they are not involved, either.

I stripped off all of the other apps as well.

1 more reply

snazz6y ago

I would personally much rather have my text messages and VoIP phone calls encrypted (usually iMessage and FaceTime audio, but Signal and WhatsApp are popular with Android users), which AFAIK is only available on smartphones, than split out calling and texting from a primary phone.

I’ve also heard that Apple doesn’t allow the baseband direct access to the application processor’s memory, but I don’t know how true that is. There doesn’t seem to be much thought given to this on Android phones.

mkr-hn6y ago

You're still at risk of baseband exploits, but those are less common.

ga-vu6y ago

Old attack: http://blog.m-sec.net/2011/sim-toolkit-attack/

rando4446y ago

The youtube-conspiracy-style intro video and lack of details does not instill a feeling of credibility.

eternalny16y ago

This whole site reeks of a security company trying to cash in on a previously reported issue.

The scarier they can make it, the more $$ ... they even have the domain name.

2011 ... http://blog.m-sec.net/2011/sim-toolkit-attack/

vectorEQ6y ago

so many companies who offer these services since forever. verint, gamma, etc. etc.

1 or 2 binary sms sent and you have someones phone depending on your flavor of attack.

sim card runs java. with sim pin you can even just send apdu requests to read its filesystem...

don't know why now all of a sudden this is a hot topic. it's the whole design of the mobile infrastructure to be able to do this...

just think about it: if you clone someones phone via such method, and they get called, you get called. if you then pickup within ~1 second of them picking up, your speaker is enabled but microphone is disabled so they can't hear you snooping in on them.... that is by design.

between carriers everything is unauthenticated, to enable this at global scale... by design.

markovbot6y ago

There doesn't seem to be a lot of specifics here. Does this mean I can send anyone a text that has some magical character in it to trigger this S@T Browser to execute arbitrary AT commands? Or is this some kind of special SMS like a type-0 SMS or something?

archi426y ago

That SIMs are expoitable was to be expected, and is another nail in the coffin of SMS 2FA. I'm just worried about the isolation between SIM and CPU - delivering a crypto locker via SMS would be an impressive feat, but wreak absolute havoc.

segfaultbuserr6y ago

Unsurprising, and I don't think it's a backdoor like ME, but just plain incompetence (or malpractice). It's only a matter of time and location when a exploit like this is discovered. I highly recommend this hilarious paper, Fuzzing the GSM Protocol (https://www.ru.nl/publish/pages/769526/scriptie-brinio-final...). By feeding the phones with random GSM data with a Software-Defined Radio, it showed most dumb and smartphones have serious memory corruption issues. Just starts reading from Page 27, Chapter 5.

* Read Memory

> On two different phones it was possible to read out (part of) the phone memory. The most interesting of these phones was the Nokia 2600, where a text message would get stored that shows a seemingly random part of the phone memory upon opening. Closing and reopening of the same message would display a different part of the memory, sometimes also causing a reboot of the phone.

> On the Samsung SGH-D500 certain messages would show a strange sequence of characters when opened, but it was unclear to us where it came from. The same message would show up differently when sent multiple times, so we expect it came somewhere from memory.

* Reboot

> Seven of the sixteen phones could be forced to reboot remotely. When rebooting the network connection would be lost temporarily.

> In all but two cases reboots were caused by a discrepancy between a length field and the actual length of that field in the message, making it likely that the behaviour is caused by a buffer overflow.

* Long time DoS

> For the iPhone 4 and HTC Legend the attack with the highest impact was found. By sending a carefully crafted SMS message the phone would not display anything and also stop receiving any SMS messages altogether. In addition on the iPhone it was impossible to change network after the attack.

* Icons

> SMS offers the ability to notify a user that a voice, fax or email message is waiting to be retrieved. According to the specifications every cell phone has to show an icon on the screen when this happens. Problem is that these icons are hard to remove when they were activated illegitimately. Even though this is not an actual security risk it can be quite annoying.

(lol!)

* Unable to delete messages

> A rather annoying bug manifested itself on two cell phones, the Sony Ericsson T630 and Samsung SGH-D500. [...] They could not be viewed or deleted in any way, but they still occupied space on the SIM. The only way to delete these messages was to put the SIM in a different phone and delete them there.

> Problems like these can be quite dangerous.

Nowadays, it's an extremely dangerous problem in the age of smartphones, when the baseband processor contains proprietary, unauditable code, with no isolation between the baseband processor and the main system.

tinus_hn6y ago

> no isolation between the baseband processor and the main system.

There’s barely any connection between the baseband processor and the application processor on a smartphone.

Notice for all your examples, it’s denial of service for the functions of the baseband processor by a bug in the code run by the baseband processor. It doesn’t get access to the data available to the application processor. Except for the oldschool feature phones, where there is no separate application processor so a bug in the software run by its processor can cause the phone to reboot or reveal the memory accessible by that processor.

effie6y ago

Barely any connection? Like if there is only a single wire, it's fine because the data exfiltration / os manipulation takes long? Oh please. These two processors are interconnected and most of phones run some unknown untrustworthy software on both of them.

Some attacks: https://www.fsf.org/blogs/community/replicant-developers-fin...

1 more reply

johnisgood6y ago

So how do I know if someone sent me a malicious message? Does this affect GSM only, or WCDMA, too, or does it even matter?

LinuxBender6y ago

Unless firmware has changed dramatically, then unless you have the engineering firmware and if they have an SS7 link, you won't even know you received anything until they choose to do something intrusive.

Haed1zoesee66y ago

Will a baseband firewall protect me from this?

pingec6y ago

Does this break SMS 2FA?

johnisgood6y ago

SMS 2FA can bite you in the ass. Since the phone is with you all the time, there is a higher chance of something happening to it that makes it damaged enough for you to not be able to use it. Now, you are in possession of the password, the IP is the same as the one you signed up with, you have access to your e-mail, but you still cannot access your account. You contact support, you tell them the same thing. They will tell you they cannot help you because "security", and do nothing. You are now unable to access your account, most likely forever.

This happened to me. Any experiences or thoughts? Is it worth the risk? How do you prevent this scenario besides not using 2FA from happening? Personally I would choose to not use it though.

drewmol6y ago

>Any experiences or thoughts?

I used to have Ting for phone service, you can require mfa/lock number porting, disable or activate or change a device/sim, toggle voice sms and data and forward calls from their multi factor authenticated dashboard. Requested an extra sim and kept a dumb cdma phone lying around in case I broke lost or someone stole my phone. Also used an app to sync texts in case of broken scren. Now I use verizon and keep a spare cdma device, you can change devices from their web portal in combination with a message syncing app. You could also port your # to google voice for similar features but I assumed google will scrap it with little notice so I have not.

tgsovlerkhgsel6y ago

The reason why companies love SMS 2FA is because most people keep their phone number. In a scenario like you described, most people would walk into a <whatever their provider is> store, show ID, and get a new SIM.

This way, the company using SMS 2FA has effectively outsourced this recovery path to the phone companies. Instead of handling recovery (and potentially liability for getting it wrong) themselves, they can just tell you to go recover the phone number. And when the phone company gets it wrong, you get stuck in a nightmare of finger-pointing instead of having a clear culprit to hold responsible.

tiborsaas6y ago

> You are now unable to access your account, most likely forever.

Nah, you just have to wait till you order a new SIM from your carrier.

Some companies also offer offline, 1 time passwords. 2FA SMS can be a pain in such cases, but it's not that bad.

1 more reply

cypres6y ago

No. Although some argue that SMS 2FA is already broken, due to SS7 attacks. I don't see how this makes it any worse.

pixl976y ago

Technically SMS 2FA is already broken.

ozzyman7006y ago

a sdr radio breaks sms 2fa

Smoozy236y ago

I don’t understand why to steal someone else’s phones? the main thing for what?

heavymark6y ago

Because then in most cases you bypass 2 factor authentication through sms for people's accounts. And then steal their social media handles or anything. Sites like Twitter only allow SMS 2 factor authentication, so currently no way to avoid the issue, which is why even the CEO was just hacked. One has to assume they are working on real 2 factor authentication. That will help people in the know stay protected, but the average person or simply enables sms 2 factor authentication will still be vulnerable until a company like Apple or something automatically offers 2 factor app for all sites that support 2fa.

zucked6y ago

I've been mitigating this vector best I can by associating any of my accounts that only offer 2FA via SMS to a Google Voice number / Google account that can only be accessed via Token/Backup codes.

mises6y ago

Sim-swap attacks, forging communications from some one (snag CEO phone; send message "wire ten million dollars now to china; we're acquiring a company!").

mercora6y ago

This is not about stealing someones subscriber identity but about having unrestricted access to some ancient looking software running on the sim card. TBH it looks like this is not really an exploit but working by design if access is actually unrestricted. SMS is used as an alternative transport for the software (S@T Browser) and apparently access should be limited to entities providing a 3DES key ... But i just skimmed over some documents so don't take my word for it ;)

magashna6y ago

https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-...

tmysl6y ago

Leaked emails/passwords from exploited sites + the ability to do 2fa or trigger a password reset via phone verification. People's bank accounts, bitcoin exchange wallets, etc have been hacked like this.

biggt6y ago

First the Intel management engine backdoor. And now this, probably first conceived when someone cards were being developed

j / k navigate · click thread line to collapse

55 comments

falsedan6y ago

cypres6y ago

A better title IMHO; SIM Vulnerability leads to information disclosure via malicious SMS.

farisjarrah6y ago

Seems like a highjack may be possible actually... Here is a list of other things they listed they can do with the simjacker exploit that goes beyond simple data exfiltration:

    > PLAY TONE
    > SEND SHORT MESSAGE
    > SET UP CALL
    > SEND USSD
    > SEND SS
    > PROVIDE LOCAL INFORMATION
    >     Location Information, IMEI, Battery, Network, Language, etc
    > POWER OFF CARD
    > RUN AT COMMAND
    > SEND DTMF COMMAND
    > LAUNCH BROWSER
    > OPEN CHANNEL
    >     CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
    > SEND DATA
    > GET SERVICE INFORMATION
    > SUBMIT MULTIMEDIA MESSAGE
    > GEOGRAPHICAL LOCATION REQUEST

mercora6y ago

running arbitrary AT commands gives lots of potential... i wish they would provide (a lot) more details about their claims :(

1 more reply

akersten6y ago

Why in the world is this API surface even available, and why aren't Google / Apple / handset manufacturers scrambling to patch this?

rocqua6y ago

I guess it is available to the baseband, not the actual iser facing OS.

zenexer6y ago

Google and Apple can't do anything to mitigate this.

This API exists because SIM cards are self-contained computers; they need a way to communicate with everything else.

2 more replies

lejokoOP6y ago

For me, sending SMS messages on your behalf (without you even knowing) or dialling premium rate numbers is definitely hijacking.

dang6y ago

Ok, we'll go with that title above.

GMLOOKO6y ago

raintrees6y ago

I obtained a low-tech phone for SMS and phone calls. I then turned my Samsung Android back into a PDA by removing the SIM chip.

I also tell them that I had based my decision on the track records of Google, Apple, Verizon, etc. in regards to security.

Nothing is perfect, but at least my attack surface is lessened.

haydn36y ago

It still calls home, it's still online. Lock down Microsoft and Google's IPs permanently, outbound, on all networks you use or this won't work.

raintrees6y ago

I run my own servers, so no, no connection to Microsoft except for updates.

Google is not involved, my DNS is my own server with the base servers as their lookups, not Google DNS. My PDA only connects over WiFi, since there is no SIM.

So unless Google is purposely getting involved with a WiFi connection to a local, private server, they are not involved, either.

I stripped off all of the other apps as well.

1 more reply

snazz6y ago

mkr-hn6y ago

You're still at risk of baseband exploits, but those are less common.

ga-vu6y ago

Old attack: http://blog.m-sec.net/2011/sim-toolkit-attack/

rando4446y ago

The youtube-conspiracy-style intro video and lack of details does not instill a feeling of credibility.

eternalny16y ago

This whole site reeks of a security company trying to cash in on a previously reported issue.

The scarier they can make it, the more $$ ... they even have the domain name.

2011 ... http://blog.m-sec.net/2011/sim-toolkit-attack/

vectorEQ6y ago

so many companies who offer these services since forever. verint, gamma, etc. etc.

1 or 2 binary sms sent and you have someones phone depending on your flavor of attack.

sim card runs java. with sim pin you can even just send apdu requests to read its filesystem...

don't know why now all of a sudden this is a hot topic. it's the whole design of the mobile infrastructure to be able to do this...

between carriers everything is unauthenticated, to enable this at global scale... by design.

markovbot6y ago

archi426y ago

segfaultbuserr6y ago

* Read Memory

* Reboot

> Seven of the sixteen phones could be forced to reboot remotely. When rebooting the network connection would be lost temporarily.

* Long time DoS

* Icons

(lol!)

* Unable to delete messages

> Problems like these can be quite dangerous.

tinus_hn6y ago

> no isolation between the baseband processor and the main system.

There’s barely any connection between the baseband processor and the application processor on a smartphone.

effie6y ago

Some attacks: https://www.fsf.org/blogs/community/replicant-developers-fin...

1 more reply

johnisgood6y ago

So how do I know if someone sent me a malicious message? Does this affect GSM only, or WCDMA, too, or does it even matter?

LinuxBender6y ago

Haed1zoesee66y ago

Will a baseband firewall protect me from this?

pingec6y ago

Does this break SMS 2FA?

johnisgood6y ago

This happened to me. Any experiences or thoughts? Is it worth the risk? How do you prevent this scenario besides not using 2FA from happening? Personally I would choose to not use it though.

drewmol6y ago

>Any experiences or thoughts?

tgsovlerkhgsel6y ago

tiborsaas6y ago

> You are now unable to access your account, most likely forever.

Nah, you just have to wait till you order a new SIM from your carrier.

Some companies also offer offline, 1 time passwords. 2FA SMS can be a pain in such cases, but it's not that bad.

1 more reply

cypres6y ago

No. Although some argue that SMS 2FA is already broken, due to SS7 attacks. I don't see how this makes it any worse.

pixl976y ago

Technically SMS 2FA is already broken.

ozzyman7006y ago

a sdr radio breaks sms 2fa

Smoozy236y ago

I don’t understand why to steal someone else’s phones? the main thing for what?

heavymark6y ago

zucked6y ago

I've been mitigating this vector best I can by associating any of my accounts that only offer 2FA via SMS to a Google Voice number / Google account that can only be accessed via Token/Backup codes.

mises6y ago

Sim-swap attacks, forging communications from some one (snag CEO phone; send message "wire ten million dollars now to china; we're acquiring a company!").

mercora6y ago

magashna6y ago

https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-...

tmysl6y ago

biggt6y ago

First the Intel management engine backdoor. And now this, probably first conceived when someone cards were being developed

j / k navigate · click thread line to collapse