Doubts raised over Simjacker security flaw

Simjacker exploit takes advantage of a legacy feature of the SIM card, according to researchers, that most telcos don't use

Doubts have been raised over the risk posed by the Simjacker vulnerability that was first disclosed last week.

The SIM-based security vulnerability was recently discovered by the researchers at AdaptiveMobile Security, who claimed that the flaw could affect mobile operators in as many as 30 countries, potentially affecting more than one billion mobile phone users worldwide.

The researchers also said that a specific private surveillance firm working for various government agencies has been exploiting the flaw for the past two years to spy on individuals, including journalists and political dissidents.

https://twitter.com/VessOnSecurity/status/1173625466894393344?ref\\_src=twsrc%5Etfw

According to researchers, the flaw has also been exploited to carry out many other types of attacks, such as scam calls, fraud, denial of service, espionage, and information leakage against telecom operators or individuals.

SimJacker exploit takes advantage of a legacy feature of the SIM card, called S@T (pronounced sat), which was originally designed to launch browsers and to perform various other actions on older phones.

To target a phone, the attackers send a text message with a specific type of spyware-like code for S@T. This message doesn't trigger any kind of notification on the device, but instructs the SIM card to 'take over' the mobile phone to execute sensitive commands. The SIM then sends an SMS with device IMEI number and location data back to attackers.

Researchers at AdaptiveMobile Security claimed that in their own tests, they were able to instruct targeted mobile phones to ring other handsets, open up web browsers, send text messages and carry out several other actions on the handset.

The exploit is device-agnostic, according to researchers, and has been used against iPhones, various brands of Android phones as well as some SIM-equipped IoT devices.

While AdaptiveMobile Security research team is confident about their study, many security experts are sceptical about the big claims made by the AdaptiveMobile.

"I've been researching the SimJack issue and the more I am, the more something smells fishy about it...," said cyber security expert, Dr Vesselin Bontchev, known as @VessOnSecurity on Twitter.

He believes the researchers at AdaptiveMobile have overstated the number of victims at risk due to Simjacker vulnerability.

"Claim that a billion people are affected. How do we know that? Oh, it's because the mobile operators of 30 countries with that many people total are using AdapiveMobile's software. Really? Who had heard of them before? All I see is a single source of the claim - AdaptiveMobile," Bontchev added.

https://twitter.com/GossiTheDog/status/1172228982680489985?ref\\_src=twsrc%5Etfw

The cyber security expert also complains that AdaptiveMobile have provided no technical details, so far, about the vulnerability.

"Zero technical details, besides one meaningless diagram that could mean anything. Yes, I've read the S@T specifications and commands. "Malware sent by SMS"? Gimme a break."

Another security specialist, Kevin Beaumont, added that there is no evidence of the Simjacker vulnerability affecting any mobile operator in either the UK or the US.

To find out more about Simjacker, we'll have to wait until 3rd October, when the AdaptiveMobile research team will reveal further details at the VirusBulletin 2019 security conference going to be held in London next month.