There's a lot of woo in the press release, but the essense is: they claim to have found an exploit in the SIM Application Toolkit (specifically, in the S@T Browser [SIMalliance Toolbox Browser]), which can be triggered when the SIM processes a SMS which contains some attacker data as a payload, and results in the payload being executed by the SIM. The SIM can request some details from the phone (like Cell ID (rough location) and IMEI) and exfiltrate them (via another SMS).<p>The SIM Application Toolkit is fairly low-level, so has access to a few other functions, like making calls or opening applications or updating firmware. Whether these functions are permitted by the phone depends on the manufacturer, but they claim that the Cell ID & IMEI functions are widely-supported.
Title is misleading. No "hijacking" is taking place, they are obtaining the Cell ID (approximate location) and IMEI info from the phone, by sending it a malicious SMS containing SIM card instructions.
Details; <a href="https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile" rel="nofollow">https://www.adaptivemobile.com/blog/simjacker-next-generatio...</a><p>A better title IMHO;
SIM Vulnerability leads to information disclosure via malicious SMS.
I obtained a low-tech phone for SMS and phone calls. I then turned my Samsung Android back into a PDA by removing the SIM chip.<p>I explain to my clients when they express astonishment at my low-tech phone that I am protecting their security, as I have the PDA sync with my Exchange Server, where I keep sensitive info to provide them support and I do not allow the low-tech phone to access my Exchange Server.<p>I also tell them that I had based my decision on the track records of Google, Apple, Verizon, etc. in regards to security.<p>Nothing is perfect, but at least my attack surface is lessened.
Old attack: <a href="http://blog.m-sec.net/2011/sim-toolkit-attack/" rel="nofollow">http://blog.m-sec.net/2011/sim-toolkit-attack/</a>
This whole site reeks of a security company trying to cash in on a previously reported issue.<p>The scarier they can make it, the more $$ ... they even have the domain name.<p>2011 ... <a href="http://blog.m-sec.net/2011/sim-toolkit-attack/" rel="nofollow">http://blog.m-sec.net/2011/sim-toolkit-attack/</a>
so many companies who offer these services since forever. verint, gamma, etc. etc.<p>1 or 2 binary sms sent and you have someones phone depending on your flavor of attack.<p>sim card runs java. with sim pin you can even just send apdu requests to read its filesystem...<p>don't know why now all of a sudden this is a hot topic. it's the whole design of the mobile infrastructure to be able to do this...<p>just think about it:
if you clone someones phone via such method, and they get called, you get called. if you then pickup within ~1 second of them picking up, your speaker is enabled but microphone is disabled so they can't hear you snooping in on them.... that is by design.<p>between carriers everything is unauthenticated, to enable this at global scale... by design.
There doesn't seem to be a lot of specifics here. Does this mean I can send anyone a text that has some magical character in it to trigger this S@T Browser to execute arbitrary AT commands? Or is this some kind of special SMS like a type-0 SMS or something?
That SIMs are expoitable was to be expected, and is another nail in the coffin of SMS 2FA. I'm just worried about the isolation between SIM and CPU - delivering a crypto locker via SMS would be an impressive feat, but wreak absolute havoc.
Unsurprising, and I don't think it's a backdoor like ME, but just plain incompetence (or malpractice). It's only a matter of time and location when a exploit like this is discovered. I highly recommend this hilarious paper, <i>Fuzzing the GSM Protocol</i> (<a href="https://www.ru.nl/publish/pages/769526/scriptie-brinio-final-brinio_hond.pdf" rel="nofollow">https://www.ru.nl/publish/pages/769526/scriptie-brinio-final...</a>). By feeding the phones with random GSM data with a Software-Defined Radio, it showed most dumb and smartphones have serious memory corruption issues. Just starts reading from Page 27, Chapter 5.<p>* Read Memory<p>> <i>On two different phones it was possible to read out (part of) the phone memory. The most interesting of these phones was the Nokia 2600, where a text message would get stored that shows a seemingly random part of the phone memory upon opening. Closing and reopening of the same message
would display a different part of the memory, sometimes also causing a reboot of the phone.</i><p>> <i>On the Samsung SGH-D500 certain messages would show a strange sequence
of characters when opened, but it was unclear to us where it came from. The same message would show up differently when sent multiple times, so we expect it came somewhere from memory.</i><p>* Reboot<p>> <i>Seven of the sixteen phones could be forced to reboot remotely. When rebooting the network connection would be lost temporarily.</i><p>> <i>In all but two cases reboots were caused by a discrepancy between a length field and the actual length of that field in the message, making it likely that the behaviour is caused by a buffer overflow.</i><p>* Long time DoS<p>> <i>For the iPhone 4 and HTC Legend the attack with the highest impact was found. By sending a carefully crafted SMS message the phone would not display anything and also stop receiving any SMS messages altogether. In addition on the iPhone it was impossible to change network after the attack.</i><p>* Icons<p>> <i>SMS offers the ability to notify a user that a voice, fax or email message is waiting to be retrieved. According to the specifications every cell phone has to show an icon on the screen when this happens. Problem is that these icons are hard to remove when they were activated illegitimately. Even though this is not an actual security risk it can be quite annoying.</i><p>(lol!)<p>* Unable to delete messages<p>> <i>A rather annoying bug manifested itself on two cell phones, the Sony Ericsson T630 and Samsung SGH-D500. [...] They could not be viewed or deleted in any way, but they still occupied space on the SIM. The only way to delete these messages was to put the SIM in a different phone and delete them there.</i><p>> <i>Problems like these can be quite dangerous.</i><p>Nowadays, it's an extremely dangerous problem in the age of smartphones, when the baseband processor contains proprietary, unauditable code, with no isolation between the baseband processor and the main system.