Simjacker: How to Protect Devices from an Emerging Threat
By Omer Harel
May 15, 2020
By Omer Harel
May 15, 2020
A sophisticated cyberattack is gaining steam, and it’s targeting vulnerabilities in SIM-equipped devices. These exploits, known as Simjacker attacks, take advantage of a common back door into the SIM card. Malicious actors and government agencies use Simjacker attacks to eavesdrop, track movement, extract data and more — all without leaving a trace.
The problem is rooted in an old piece of technology built on top of the SIM toolkit standard. The SIM toolkit is an environment that allows developers to leverage the capabilities of the SIM card to build applications. The add-on technology helped mobile carriers and SIM vendors create value-add services to monetize their SIM cards. Unfortunately, it also created the back door into the component.
Telit Connectivity Solutions customers are protected from Simjacker attacks on their IoT devices. If you’re already a Telit Connectivity customer, you have nothing to worry about: Your SIM cards are safe. However, if your IoT deployments have SIM cards from other sources, you may need to act. This blog provides an overview of the problem and directs you to additional resources that can help you protect your devices.
A broad attack surface exists because numerous carriers and SIM vendors around the world adopted the add-on technology. However, statistics on how much damage has resulted from Simjacker attacks are hard to come by. The ecosystem is very fragmented with many mobile operators worldwide, so it isn’t easy to compile an accurate estimate. Moreover, some governments have used Simjacker, and they don’t reveal this information. Anecdotal evidence suggests that Simjacker has been used in approximately 30 countries over the past two years.
It’s important to note that all makes and models of cellular devices are vulnerable if the SIM card has the old technology installed on it, which is very common. Simjacker has been used against iPhones, Android phones and SIM-equipped Internet of Things (IoT) devices. It can run on most 2G (GSM), 3G (UMTS), 4G (LTE) and even 5G devices.
Simjacker has been used by surveillance companies and some governments around the world, and these organizations may still be using the exploit today. Based on publicly available information, at least 1 billion devices are affected. The actual number could be even higher.
A Simjacker attack begins when a mobile device or a server sends an SMS message that contains a specific type of code to a mobile device or GSM modem. The code instructs the device’s SIM card to take control of the device to access its data or execute commands.
Simjacker attacks rely on a piece of software called the S@T browser, which resides in the SIM card. The SIM card receives the Simjacker SMS attack message and then sends specific instructions to the S@T browser by using scripts, requesting location information and other information specific to the device.
When the information the hacker wants is retrieved, the victim’s device then sends the information to the hacker’s device via another SMS or a BIP session. This data message may contain the device’s location and other information, which can be stored, reused or sold.
Over the past two years, hackers have refined their ability to exploit the vulnerability created by the channel. They can send executable code directly to SIM cards and retrieve sensitive data from devices.
Simjacker’s potential for wreaking havoc is significant because it takes advantage of a system that was designed to make it easy to access SIM-enabled devices. The attacker can use any mobile device, a server application that can send binary text messages, phone or cellular modem to initiate an attack. The SMS sent by the attacker consists of binary code, unlike a human-readable SMS. Because the message is a standard SMS, any modem that works according to the standard will forward the message to the SIM card.
The SIM card can run code in a Java environment, and it can extract detailed information, such as location information, network conditions, device model or any other information stored on the SIM card that’s accessible to an application. The S@T browser processes code and sends information back to a destination address, so the victim’s device sends back to the attacker whatever data the SMS collected, via SMS or a BIP session.
When the SIM toolkit technology is used to create applications that allow device users to get better roaming tariffs and stay connected, the technology is working as intended. When it’s exploited for malicious purposes, it becomes an open channel to a variety of damaging unintended consequences.
More than 1 billion mobile subscribers worldwide are potentially exposed to Simjacker attacks, and the results could be devastating. Simjacker can be used for:
If you’re a Telit connectivity service and data plans customer, you’re protected from malicious Simjacker attacks. We verify that our SIM cards aren’t vulnerable before shipping them or embedding them into a Telit module at the factory. We have also confirmed that none of our mobile network operator (MNO) partners in our current and past SIM card portfolios have the S@T app that exposes the SIM to threat.
We’re committed to continuing to track Simjacker vulnerabilities because attackers have other potential ways to hack into applications other than the S@T browser. We are continually monitoring this issue with our partners, and we’ll share any new information as soon as it’s available.
You’re protected if your SIM cards are from Telit; however, if you use other vendors’ SIM cards along with your Telit SIM cards, we recommend that you request a review with our Telit experts. We will extend special terms to customers who are using plans from other providers and who may be exposed to the vulnerability if they choose to switch to Telit.
We recommend that those with SIM cards from other vendors follow the best practices recommended by the Trusted Connectivity Alliance (TCA), formerly known as the SIMalliance. First, be very careful about where you source your SIM cards. Next, the TCA recommends implementing security for S@T push messages. This security can be introduced at the network level and the SIM card level. Visit trustedconnectivityalliance.org for more information.
Telit offers a diverse set of products, services and resources for our customers, including several SIM products such as Telit simWISE™. As with all our connectivity services and data plans, those services also are not affected by the Simjacker vulnerability.