Targeting a heritage of the past
Exploration of the moon has left a set of man-made objects on our satellite for ever. These objects, including a US flag, some commemorative plaques, personal objects belonging to astronauts, leftovers of US and Soviet rockets, etc. are a testimony of the past, but no one has any intention to use them let alone to go there and do some housekeeping.
Evolution of technology makes us always run towards the next generation and forget items left in our world from past generations. AdaptiveMobile Security, a company that specializes in cyber telecoms security, just made public the result of their research on a new type of SIM attack that uses an old, almost forgotten technology: SIM ToolKit (STK) and S@T browser, specified by SIMalliance in 2001. The original use of the SIM ToolKit environment was to provide the first means for the outer world to interact with a SIM card, and eventually to the handset and the end user.
The attack, called Simjacker consists in sending a specially crafted SMS message to the targeted phone. These SMS can contain all types of STK commands including sending SMS messages, making phone calls, collecting information about the device (location, IMEI, battery, language), launching a web browser, powering off the card, requesting geographical location, and exfiltrating data. Typically, these commands can allow an attacker to target the UICC/eUICC (SIM Card) and use the S@T browser library as an execution environment to retrieve the IMEI of the handset, track a user’s location, send arbitrary messages on a victim’s behalf (including to premium-rate numbers for fraud purposes), spy on users, deliver malware by instructing the device’s web browser to access a malicious website, and cause a denial-of-service (DoS) condition.
According to AdaptiveMobile Security, Simjacker attacks are used by a specific private company that works with governments to monitor individuals. AdaptiveMobile Security say they have seen phone numbers from several countries being targeted by these attacks, with up to 150 specific phone numbers per day in a given country. Typically, one would think this attack is used to track a few high-profile people in a given government, political or business environment.
AdaptiveMobile Security say they have been working with their mobile operator customers to block these attacks and communicated with both the GSMA and SIMalliance. Both bodies have issued new security recommendations to their members. More globally, mobile network operators would monitor potentially harmful SMS that are using the S@T browser, and in the long term, should get rid of the STK / S@T technology altogether.
Legacy environments that were defined according to the security context of their time are very often open doors for hackers in our current security environment. Human factors, even more than technical issues, lead to leave security holes in complex systems: as people move from one task to another, older technologies are forgotten, and no one reconsiders them in the light of current security issues. Perhaps it is time to carry a wide housekeeping operation on old technologies that are embarked in our pocket devices that carry everything about our lives.