A government contractor is sending malicious code to SIM cards to pull sensitive information on targets around the world, in an attack dubbed "SIMjacker." Now, a second group of researchers have detailed how prevalent SIM cards vulnerable to the attack may be, and a tool allows the public to check if their SIM card may be exposed to such hacks.
Although the percentage of SIM cards that are vulnerable to the attack is relatively low when compared to the total in circulation, the research provides new information around a novel attack being used in the wild.
"We wanted to understand the extent to which users need to worry about SIMjacker and create ways to know whether your SIM is vulnerable or even under attack," security researchers Luca Melette and Karsten Nohl from cybersecurity firm SRLabs wrote in a blog post detailing the research.
SRLabs tested 800 different SIM cards, the write-up says. These SIM cards came from 86 different countries, according to a spreadsheet of the researched countries shared with Motherboard by Melette.
Around 6 percent of the tested SIM cards were vulnerable to SIMjacker, the research says. 3.5 percent of the cards were vulnerable to a second, similar issue, the research adds. Though this is a pretty small percentage, if these results held against the total number of SIM cards being used by cell phone owners, it would potentially be tens or hundreds of millions of vulnerable SIMs.
The analysis relied on SRLab's tool called SIMtester, which the company released in 2013. Since then, SRLab has collected measurements for over 800 SIM cards that people have scanned with the tool. SIMtester is available for download from SRLabs website.
In its research paper, SRLab also wrote that "a few" SIMjacker attacks have been reported since 2016 through another SRLab tool called SnoopSnitch. Once installed on a rooted Android phone with a Qualcomm chipset, SnoopSnitch can detect certain attacks against the device.
Earlier this month, cybersecurity company AdaptiveMobile published research into SIMjacker. The attack works with a hacker sending a text message which then instructs the SIM card itself to perform certain actions, such as obtaining a target's location information. The attack can also perform some other limited functions, such as sending text messages or dialing phone numbers. The victim does not see the text message itself so is likely unaware if they have been targeted.
"This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals. Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks," AdaptiveMobile wrote in a summary of the research.
The attack revolves around the presence of the so-called S@T browser on SIM cards; SRLabs' SIMtester tool detects whether the S@T browser is installed on a particular card.
AdaptiveMobile CTO Cathal McDaid told Motherboard in a phone call recently that AdaptiveMobile has seen SIMjacker exploited on devices in Colombia, Mexico, and Peru.
McDaid declined to go into detail on how he knew it was a private contractor performing the SIMjacker attack. But he did say this actor also performs SS7 attacks across the world—these attacks being ones that leverage the SS7 network and protocol used heavily for phone roaming. With these, a hacker can potentially track a phone's location, or intercept texts and calls. And that SS7 behaviour "matches a threat actor that we are quite confident is a surveillance company." He will be presenting more on the attack at the Virus Bulletin conference in October, and said he won't be naming the contractor.