There's a lot of woo in the press release, but the essense is: they claim to have found an exploit in the SIM Application Toolkit (specifically, in the S@T Browser [SIMalliance Toolbox Browser]), which can be triggered when the SIM processes a SMS which contains some attacker data as a payload, and results in the payload being executed by the SIM. The SIM can request some details from the phone (like Cell ID (rough location) and IMEI) and exfiltrate them (via another SMS).
The SIM Application Toolkit is fairly low-level, so has access to a few other functions, like making calls or opening applications or updating firmware. Whether these functions are permitted by the phone depends on the manufacturer, but they claim that the Cell ID & IMEI functions are widely-supported.
Title is misleading. No "hijacking" is taking place, they are obtaining the Cell ID (approximate location) and IMEI info from the phone, by sending it a malicious SMS containing SIM card instructions.
Details; https://www.adaptivemobile.com/blog/simjacker-next-generatio...
A better title IMHO;
SIM Vulnerability leads to information disclosure via malicious SMS.
Seems like a highjack may be possible actually... Here is a list of other things they listed they can do with the simjacker exploit that goes beyond simple data exfiltration:
> PLAY TONE
> SEND SHORT MESSAGE
> SET UP CALL
> SEND USSD
> SEND SS
> PROVIDE LOCAL INFORMATION
> Location Information, IMEI, Battery, Network, Language, etc
> POWER OFF CARD
> RUN AT COMMAND
> SEND DTMF COMMAND
> LAUNCH BROWSER
> OPEN CHANNEL
> CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
> SEND DATA
> GET SERVICE INFORMATION
> SUBMIT MULTIMEDIA MESSAGE
> GEOGRAPHICAL LOCATION REQUEST
I obtained a low-tech phone for SMS and phone calls. I then turned my Samsung Android back into a PDA by removing the SIM chip.
I explain to my clients when they express astonishment at my low-tech phone that I am protecting their security, as I have the PDA sync with my Exchange Server, where I keep sensitive info to provide them support and I do not allow the low-tech phone to access my Exchange Server.
I also tell them that I had based my decision on the track records of Google, Apple, Verizon, etc. in regards to security.
Nothing is perfect, but at least my attack surface is lessened.
Isn't connecting to Microsoft being online?
Unless you're running exchange on an OFFLINE, LOCAL NETWORK your outgoing traffic to Google will contain metadata and you're not stopping anything by removing the SIM card other than inconveniencing yourself.
It still calls home, it's still online. Lock down Microsoft and Google's IPs permanently, outbound, on all networks you use or this won't work.
I would personally much rather have my text messages and VoIP phone calls encrypted (usually iMessage and FaceTime audio, but Signal and WhatsApp are popular with Android users), which AFAIK is only available on smartphones, than split out calling and texting from a primary phone.
I’ve also heard that Apple doesn’t allow the baseband direct access to the application processor’s memory, but I don’t know how true that is. There doesn’t seem to be much thought given to this on Android phones.
so many companies who offer these services since forever. verint, gamma, etc. etc.
1 or 2 binary sms sent and you have someones phone depending on your flavor of attack.
sim card runs java. with sim pin you can even just send apdu requests to read its filesystem...
don't know why now all of a sudden this is a hot topic. it's the whole design of the mobile infrastructure to be able to do this...
just think about it:
if you clone someones phone via such method, and they get called, you get called. if you then pickup within ~1 second of them picking up, your speaker is enabled but microphone is disabled so they can't hear you snooping in on them.... that is by design.
between carriers everything is unauthenticated, to enable this at global scale... by design.
There doesn't seem to be a lot of specifics here. Does this mean I can send anyone a text that has some magical character in it to trigger this S@T Browser to execute arbitrary AT commands? Or is this some kind of special SMS like a type-0 SMS or something?
That SIMs are expoitable was to be expected, and is another nail in the coffin of SMS 2FA. I'm just worried about the isolation between SIM and CPU - delivering a crypto locker via SMS would be an impressive feat, but wreak absolute havoc.
Unsurprising, and I don't think it's a backdoor like ME, but just plain incompetence (or malpractice). It's only a matter of time and location when a exploit like this is discovered. I highly recommend this hilarious paper, Fuzzing the GSM Protocol (https://www.ru.nl/publish/pages/769526/scriptie-brinio-final...). By feeding the phones with random GSM data with a Software-Defined Radio, it showed most dumb and smartphones have serious memory corruption issues. Just starts reading from Page 27, Chapter 5.
* Read Memory
> On two different phones it was possible to read out (part of) the phone memory. The most interesting of these phones was the Nokia 2600, where a text message would get stored that shows a seemingly random part of the phone memory upon opening. Closing and reopening of the same message
would display a different part of the memory, sometimes also causing a reboot of the phone.
> On the Samsung SGH-D500 certain messages would show a strange sequence
of characters when opened, but it was unclear to us where it came from. The same message would show up differently when sent multiple times, so we expect it came somewhere from memory.
* Reboot
> Seven of the sixteen phones could be forced to reboot remotely. When rebooting the network connection would be lost temporarily.
> In all but two cases reboots were caused by a discrepancy between a length field and the actual length of that field in the message, making it likely that the behaviour is caused by a buffer overflow.
* Long time DoS
> For the iPhone 4 and HTC Legend the attack with the highest impact was found. By sending a carefully crafted SMS message the phone would not display anything and also stop receiving any SMS messages altogether. In addition on the iPhone it was impossible to change network after the attack.
* Icons
> SMS offers the ability to notify a user that a voice, fax or email message is waiting to be retrieved. According to the specifications every cell phone has to show an icon on the screen when this happens. Problem is that these icons are hard to remove when they were activated illegitimately. Even though this is not an actual security risk it can be quite annoying.
(lol!)
* Unable to delete messages
> A rather annoying bug manifested itself on two cell phones, the Sony Ericsson T630 and Samsung SGH-D500. [...] They could not be viewed or deleted in any way, but they still occupied space on the SIM. The only way to delete these messages was to put the SIM in a different phone and delete them there.
> Problems like these can be quite dangerous.
Nowadays, it's an extremely dangerous problem in the age of smartphones, when the baseband processor contains proprietary, unauditable code, with no isolation between the baseband processor and the main system.
> no isolation between the baseband processor and the main system.
There’s barely any connection between the baseband processor and the application processor on a smartphone.
Notice for all your examples, it’s denial of service for the functions of the baseband processor by a bug in the code run by the baseband processor. It doesn’t get access to the data available to the application processor. Except for the oldschool feature phones, where there is no separate application processor so a bug in the software run by its processor can cause the phone to reboot or reveal the memory accessible by that processor.
Unless firmware has changed dramatically, then unless you have the engineering firmware and if they have an SS7 link, you won't even know you received anything until they choose to do something intrusive.
SMS 2FA can bite you in the ass. Since the phone is with you all the time, there is a higher chance of something happening to it that makes it damaged enough for you to not be able to use it. Now, you are in possession of the password, the IP is the same as the one you signed up with, you have access to your e-mail, but you still cannot access your account. You contact support, you tell them the same thing. They will tell you they cannot help you because "security", and do nothing. You are now unable to access your account, most likely forever.
This happened to me. Any experiences or thoughts? Is it worth the risk? How do you prevent this scenario besides not using 2FA from happening? Personally I would choose to not use it though.
Because then in most cases you bypass 2 factor authentication through sms for people's accounts. And then steal their social media handles or anything. Sites like Twitter only allow SMS 2 factor authentication, so currently no way to avoid the issue, which is why even the CEO was just hacked. One has to assume they are working on real 2 factor authentication. That will help people in the know stay protected, but the average person or simply enables sms 2 factor authentication will still be vulnerable until a company like Apple or something automatically offers 2 factor app for all sites that support 2fa.
Sim-swap attacks, forging communications from some one (snag CEO phone; send message "wire ten million dollars now to china; we're acquiring a company!").
This is not about stealing someones subscriber identity but about having unrestricted access to some ancient looking software running on the sim card. TBH it looks like this is not really an exploit but working by design if access is actually unrestricted. SMS is used as an alternative transport for the software (S@T Browser) and apparently access should be limited to entities providing a 3DES key ... But i just skimmed over some documents so don't take my word for it ;)
Leaked emails/passwords from exploited sites + the ability to do 2fa or trigger a password reset via phone verification. People's bank accounts, bitcoin exchange wallets, etc have been hacked like this.
falsedan|6 years ago
The SIM Application Toolkit is fairly low-level, so has access to a few other functions, like making calls or opening applications or updating firmware. Whether these functions are permitted by the phone depends on the manufacturer, but they claim that the Cell ID & IMEI functions are widely-supported.
cypres|6 years ago
A better title IMHO; SIM Vulnerability leads to information disclosure via malicious SMS.
farisjarrah|6 years ago
akersten|6 years ago
unknown|6 years ago
[deleted]
lejoko|6 years ago
dang|6 years ago
GMLOOKO|6 years ago
raintrees|6 years ago
I explain to my clients when they express astonishment at my low-tech phone that I am protecting their security, as I have the PDA sync with my Exchange Server, where I keep sensitive info to provide them support and I do not allow the low-tech phone to access my Exchange Server.
I also tell them that I had based my decision on the track records of Google, Apple, Verizon, etc. in regards to security.
Nothing is perfect, but at least my attack surface is lessened.
haydn3|6 years ago
It still calls home, it's still online. Lock down Microsoft and Google's IPs permanently, outbound, on all networks you use or this won't work.
snazz|6 years ago
I’ve also heard that Apple doesn’t allow the baseband direct access to the application processor’s memory, but I don’t know how true that is. There doesn’t seem to be much thought given to this on Android phones.
mkr-hn|6 years ago
ga-vu|6 years ago
rando444|6 years ago
eternalny1|6 years ago
The scarier they can make it, the more $$ ... they even have the domain name.
2011 ... http://blog.m-sec.net/2011/sim-toolkit-attack/
vectorEQ|6 years ago
1 or 2 binary sms sent and you have someones phone depending on your flavor of attack.
sim card runs java. with sim pin you can even just send apdu requests to read its filesystem...
don't know why now all of a sudden this is a hot topic. it's the whole design of the mobile infrastructure to be able to do this...
just think about it: if you clone someones phone via such method, and they get called, you get called. if you then pickup within ~1 second of them picking up, your speaker is enabled but microphone is disabled so they can't hear you snooping in on them.... that is by design.
between carriers everything is unauthenticated, to enable this at global scale... by design.
markovbot|6 years ago
archi42|6 years ago
segfaultbuserr|6 years ago
* Read Memory
> On two different phones it was possible to read out (part of) the phone memory. The most interesting of these phones was the Nokia 2600, where a text message would get stored that shows a seemingly random part of the phone memory upon opening. Closing and reopening of the same message would display a different part of the memory, sometimes also causing a reboot of the phone.
> On the Samsung SGH-D500 certain messages would show a strange sequence of characters when opened, but it was unclear to us where it came from. The same message would show up differently when sent multiple times, so we expect it came somewhere from memory.
* Reboot
> Seven of the sixteen phones could be forced to reboot remotely. When rebooting the network connection would be lost temporarily.
> In all but two cases reboots were caused by a discrepancy between a length field and the actual length of that field in the message, making it likely that the behaviour is caused by a buffer overflow.
* Long time DoS
> For the iPhone 4 and HTC Legend the attack with the highest impact was found. By sending a carefully crafted SMS message the phone would not display anything and also stop receiving any SMS messages altogether. In addition on the iPhone it was impossible to change network after the attack.
* Icons
> SMS offers the ability to notify a user that a voice, fax or email message is waiting to be retrieved. According to the specifications every cell phone has to show an icon on the screen when this happens. Problem is that these icons are hard to remove when they were activated illegitimately. Even though this is not an actual security risk it can be quite annoying.
(lol!)
* Unable to delete messages
> A rather annoying bug manifested itself on two cell phones, the Sony Ericsson T630 and Samsung SGH-D500. [...] They could not be viewed or deleted in any way, but they still occupied space on the SIM. The only way to delete these messages was to put the SIM in a different phone and delete them there.
> Problems like these can be quite dangerous.
Nowadays, it's an extremely dangerous problem in the age of smartphones, when the baseband processor contains proprietary, unauditable code, with no isolation between the baseband processor and the main system.
tinus_hn|6 years ago
There’s barely any connection between the baseband processor and the application processor on a smartphone.
Notice for all your examples, it’s denial of service for the functions of the baseband processor by a bug in the code run by the baseband processor. It doesn’t get access to the data available to the application processor. Except for the oldschool feature phones, where there is no separate application processor so a bug in the software run by its processor can cause the phone to reboot or reveal the memory accessible by that processor.
johnisgood|6 years ago
LinuxBender|6 years ago
unknown|6 years ago
[deleted]
Haed1zoesee6|6 years ago
pingec|6 years ago
johnisgood|6 years ago
This happened to me. Any experiences or thoughts? Is it worth the risk? How do you prevent this scenario besides not using 2FA from happening? Personally I would choose to not use it though.
cypres|6 years ago
pixl97|6 years ago
ozzyman700|6 years ago
Smoozy23|6 years ago
heavymark|6 years ago
mises|6 years ago
mercora|6 years ago
magashna|6 years ago
tmysl|6 years ago
biggt|6 years ago