
SIM Vulnerability leads to information disclosure via malicious SMS - lejoko
https://simjacker.com/
======
falsedan
There's a lot of woo in the press release, but the essense is: they claim to
have found an exploit in the SIM Application Toolkit (specifically, in the S@T
Browser [SIMalliance Toolbox Browser]), which can be triggered when the SIM
processes a SMS which contains some attacker data as a payload, and results in
the payload being executed by the SIM. The SIM can request some details from
the phone (like Cell ID (rough location) and IMEI) and exfiltrate them (via
another SMS).

The SIM Application Toolkit is fairly low-level, so has access to a few other
functions, like making calls or opening applications or updating firmware.
Whether these functions are permitted by the phone depends on the
manufacturer, but they claim that the Cell ID & IMEI functions are widely-
supported.

------
cypres
Title is misleading. No "hijacking" is taking place, they are obtaining the
Cell ID (approximate location) and IMEI info from the phone, by sending it a
malicious SMS containing SIM card instructions. Details;
[https://www.adaptivemobile.com/blog/simjacker-next-
generatio...](https://www.adaptivemobile.com/blog/simjacker-next-generation-
spying-over-mobile)

A better title IMHO; SIM Vulnerability leads to information disclosure via
malicious SMS.

~~~
farisjarrah
Seems like a highjack may be possible actually... Here is a list of other
things they listed they can do with the simjacker exploit that goes beyond
simple data exfiltration:

    
    
        > PLAY TONE
        > SEND SHORT MESSAGE
        > SET UP CALL
        > SEND USSD
        > SEND SS
        > PROVIDE LOCAL INFORMATION
        >     Location Information, IMEI, Battery, Network, Language, etc
        > POWER OFF CARD
        > RUN AT COMMAND
        > SEND DTMF COMMAND
        > LAUNCH BROWSER
        > OPEN CHANNEL
        >     CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
        > SEND DATA
        > GET SERVICE INFORMATION
        > SUBMIT MULTIMEDIA MESSAGE
        > GEOGRAPHICAL LOCATION REQUEST

~~~
mercora
running arbitrary AT commands gives lots of potential... i wish they would
provide (a lot) more details about their claims :(

~~~
garaetjjte
When I recently watched this talk,
[https://www.youtube.com/watch?v=31D94QOo2gY](https://www.youtube.com/watch?v=31D94QOo2gY),
I wondered about that, that is if malicious STK app from network operator
could execute AT commands on phone (and compromise device using commands from
[https://www.usenix.org/node/217625](https://www.usenix.org/node/217625)).

But from what I gathered from cursory search, RUN AT COMMAND isn't supported
by most devices. (ETSI TS 102 223 states "This clause applies if class "b" is
supported by the terminal and enabled by the subscriber through the terminal.
")

------
raintrees
I obtained a low-tech phone for SMS and phone calls. I then turned my Samsung
Android back into a PDA by removing the SIM chip.

I explain to my clients when they express astonishment at my low-tech phone
that I am protecting their security, as I have the PDA sync with my Exchange
Server, where I keep sensitive info to provide them support and I do not allow
the low-tech phone to access my Exchange Server.

I also tell them that I had based my decision on the track records of Google,
Apple, Verizon, etc. in regards to security.

Nothing is perfect, but at least my attack surface is lessened.

~~~
haydn3
Isn't connecting to Microsoft being online? Unless you're running exchange on
an OFFLINE, LOCAL NETWORK your outgoing traffic to Google will contain
metadata and you're not stopping anything by removing the SIM card other than
inconveniencing yourself.

It still calls home, it's still online. Lock down Microsoft and Google's IPs
permanently, outbound, on all networks you use or this won't work.

~~~
raintrees
I run my own servers, so no, no connection to Microsoft except for updates.

Google is not involved, my DNS is my own server with the base servers as their
lookups, not Google DNS. My PDA only connects over WiFi, since there is no
SIM.

So unless Google is purposely getting involved with a WiFi connection to a
local, private server, they are not involved, either.

I stripped off all of the other apps as well.

~~~
raintrees
To further clarify, I have been a dev for 30 years, mostly the Microsoft
arena, and more recently, Linux. I also run a service business for small
business clients, and eat my own dog food. In so doing, I have off and on
again been an MSDN member, which included licenses (for development) of the
Microsoft technology stack, which until recently included their Small Business
Server product. That is how I got my start.

I have run my own Exchange Server(s) since 1995. And DNS, DHCP, etc.

------
ga-vu
Old attack: [http://blog.m-sec.net/2011/sim-toolkit-
attack/](http://blog.m-sec.net/2011/sim-toolkit-attack/)

------
rando444
The youtube-conspiracy-style intro video and lack of details does not instill
a feeling of credibility.

------
eternalny1
This whole site reeks of a security company trying to cash in on a previously
reported issue.

The scarier they can make it, the more $$ ... they even have the domain name.

2011 ... [http://blog.m-sec.net/2011/sim-toolkit-
attack/](http://blog.m-sec.net/2011/sim-toolkit-attack/)

------
vectorEQ
so many companies who offer these services since forever. verint, gamma, etc.
etc.

1 or 2 binary sms sent and you have someones phone depending on your flavor of
attack.

sim card runs java. with sim pin you can even just send apdu requests to read
its filesystem...

don't know why now all of a sudden this is a hot topic. it's the whole design
of the mobile infrastructure to be able to do this...

just think about it: if you clone someones phone via such method, and they get
called, you get called. if you then pickup within ~1 second of them picking
up, your speaker is enabled but microphone is disabled so they can't hear you
snooping in on them.... that is by design.

between carriers everything is unauthenticated, to enable this at global
scale... by design.

------
markovbot
There doesn't seem to be a lot of specifics here. Does this mean I can send
anyone a text that has some magical character in it to trigger this S@T
Browser to execute arbitrary AT commands? Or is this some kind of special SMS
like a type-0 SMS or something?

------
archi42
That SIMs are expoitable was to be expected, and is another nail in the coffin
of SMS 2FA. I'm just worried about the isolation between SIM and CPU -
delivering a crypto locker via SMS would be an impressive feat, but wreak
absolute havoc.

------
segfaultbuserr
Unsurprising, and I don't think it's a backdoor like ME, but just plain
incompetence (or malpractice). It's only a matter of time and location when a
exploit like this is discovered. I highly recommend this hilarious paper,
_Fuzzing the GSM Protocol_ ([https://www.ru.nl/publish/pages/769526/scriptie-
brinio-final...](https://www.ru.nl/publish/pages/769526/scriptie-brinio-final-
brinio_hond.pdf)). By feeding the phones with random GSM data with a Software-
Defined Radio, it showed most dumb and smartphones have serious memory
corruption issues. Just starts reading from Page 27, Chapter 5.

* Read Memory

> _On two different phones it was possible to read out (part of) the phone
> memory. The most interesting of these phones was the Nokia 2600, where a
> text message would get stored that shows a seemingly random part of the
> phone memory upon opening. Closing and reopening of the same message would
> display a different part of the memory, sometimes also causing a reboot of
> the phone._

> _On the Samsung SGH-D500 certain messages would show a strange sequence of
> characters when opened, but it was unclear to us where it came from. The
> same message would show up differently when sent multiple times, so we
> expect it came somewhere from memory._

* Reboot

> _Seven of the sixteen phones could be forced to reboot remotely. When
> rebooting the network connection would be lost temporarily._

> _In all but two cases reboots were caused by a discrepancy between a length
> field and the actual length of that field in the message, making it likely
> that the behaviour is caused by a buffer overflow._

* Long time DoS

> _For the iPhone 4 and HTC Legend the attack with the highest impact was
> found. By sending a carefully crafted SMS message the phone would not
> display anything and also stop receiving any SMS messages altogether. In
> addition on the iPhone it was impossible to change network after the
> attack._

* Icons

> _SMS offers the ability to notify a user that a voice, fax or email message
> is waiting to be retrieved. According to the specifications every cell phone
> has to show an icon on the screen when this happens. Problem is that these
> icons are hard to remove when they were activated illegitimately. Even
> though this is not an actual security risk it can be quite annoying._

(lol!)

* Unable to delete messages

> _A rather annoying bug manifested itself on two cell phones, the Sony
> Ericsson T630 and Samsung SGH-D500. [...] They could not be viewed or
> deleted in any way, but they still occupied space on the SIM. The only way
> to delete these messages was to put the SIM in a different phone and delete
> them there._

> _Problems like these can be quite dangerous._

Nowadays, it's an extremely dangerous problem in the age of smartphones, when
the baseband processor contains proprietary, unauditable code, with no
isolation between the baseband processor and the main system.

~~~
tinus_hn
> no isolation between the baseband processor and the main system.

There’s barely any connection between the baseband processor and the
application processor on a smartphone.

Notice for all your examples, it’s denial of service for the functions of the
baseband processor by a bug in the code run by the baseband processor. It
doesn’t get access to the data available to the application processor. Except
for the oldschool feature phones, where there is no separate application
processor so a bug in the software run by its processor can cause the phone to
reboot or reveal the memory accessible by that processor.

~~~
effie
Barely any connection? Like if there is only a single wire, it's fine because
the data exfiltration / os manipulation takes long? Oh please. These two
processors are interconnected and most of phones run some unknown
untrustworthy software on both of them.

Some attacks: [https://www.fsf.org/blogs/community/replicant-developers-
fin...](https://www.fsf.org/blogs/community/replicant-developers-find-and-
close-samsung-galaxy-backdoor)

~~~
tinus_hn
Which has absolutely nothing to do with isolation. The two processors are not
‘interconnected’, they are separate and can only communicate through defined
interfaces. That’s isolation. If there is a backdoor on one processor that
grants access to the other the problem is that backdoor and not some nebulous
interconnection.

If your computer runs a backdoor that grants access to anyone who can access
it over the network, the problem that someone from China can now control your
computer is not the fault of the Internet. It’s the fault of that program.

And also ‘most of phones’ in the article is ‘Android phones’ and then it’s
watered down even more to ‘Samsung Galaxy phones’. ‘In most devices, for all
we know, [...]’. No.

~~~
effie
Well they do not read directly each other's memory, but still the baseband
processor is electrically connected and so can exfiltrate data from or
manipulate the application processor. On the other hand, if you have two
phones glued together, one for voice/sms, one for internet access via
independent network without microphone, the first one cannot
exfiltrate/manipulate the second one and the second one cannot record your
voice. _That_ is isolation.

~~~
tinus_hn
No, because there is a connection between both of these devices and all other
devices on the phone network and the internet. It’s just bullshit and on top
of that overcomplicated nonsense no one is going to use.

~~~
effie
I'm talking about physically isolated computers connected to separate
networks, not connected to the same untrusted network. The meaning of the
isolation is that while operator of each network has one class of data
(voice/sms vs. the internet), neither has both of them.

------
johnisgood
So how do I know if someone sent me a malicious message? Does this affect GSM
only, or WCDMA, too, or does it even matter?

~~~
LinuxBender
Unless firmware has changed dramatically, then unless you have the engineering
firmware and if they have an SS7 link, you won't even know you received
anything until they choose to do something intrusive.

------
Haed1zoesee6
Will a baseband firewall protect me from this?

------
pingec
Does this break SMS 2FA?

~~~
johnisgood
SMS 2FA can bite you in the ass. Since the phone is with you all the time,
there is a higher chance of something happening to it that makes it damaged
enough for you to not be able to use it. Now, you are in possession of the
password, the IP is the same as the one you signed up with, you have access to
your e-mail, but you still cannot access your account. You contact support,
you tell them the same thing. They will tell you they cannot help you because
"security", and do nothing. You are now unable to access your account, most
likely forever.

This happened to me. Any experiences or thoughts? Is it worth the risk? How do
you prevent this scenario besides not using 2FA from happening? Personally I
would choose to not use it though.

~~~
tiborsaas
> You are now unable to access your account, most likely forever.

Nah, you just have to wait till you order a new SIM from your carrier.

Some companies also offer offline, 1 time passwords. 2FA SMS can be a pain in
such cases, but it's not that bad.

~~~
johnisgood
Oh, I just noticed I typed " _SMS_ 2FA". My bad! In that case, you are
correct, but in my particular case I lost all data related to Google
Authenticator, including the shared secret. Customer service refused to help,
despite having had the same phone number, because it was not SMS-based 2FA.
Sorry! I should not get on HN when so mentally exhausted. :(

~~~
tiborsaas
We use Google Authenticator too at work, I had to go to IT in person to get a
new one when I got a new phone. It makes sense to refuse to give you based on
solely the phone number. However, there should be a process to renew these
credentials, phones die too.

------
Smoozy23
I don’t understand why to steal someone else’s phones? the main thing for
what?

~~~
heavymark
Because then in most cases you bypass 2 factor authentication through sms for
people's accounts. And then steal their social media handles or anything.
Sites like Twitter only allow SMS 2 factor authentication, so currently no way
to avoid the issue, which is why even the CEO was just hacked. One has to
assume they are working on real 2 factor authentication. That will help people
in the know stay protected, but the average person or simply enables sms 2
factor authentication will still be vulnerable until a company like Apple or
something automatically offers 2 factor app for all sites that support 2fa.

~~~
zucked
I've been mitigating this vector best I can by associating any of my accounts
that only offer 2FA via SMS to a Google Voice number / Google account that can
only be accessed via Token/Backup codes.

------
biggt
First the Intel management engine backdoor. And now this, probably first
conceived when someone cards were being developed

