There's a lot of woo in the press release, but the essense is: they claim to have found an exploit in the SIM Application Toolkit (specifically, in the S@T Browser [SIMalliance Toolbox Browser]), which can be triggered when the SIM processes a SMS which contains some attacker data as a payload, and results in the payload being executed by the SIM. The SIM can request some details from the phone (like Cell ID (rough location) and IMEI) and exfiltrate them (via another SMS).
The SIM Application Toolkit is fairly low-level, so has access to a few other functions, like making calls or opening applications or updating firmware. Whether these functions are permitted by the phone depends on the manufacturer, but they claim that the Cell ID & IMEI functions are widely-supported.
Title is misleading. No "hijacking" is taking place, they are obtaining the Cell ID (approximate location) and IMEI info from the phone, by sending it a malicious SMS containing SIM card instructions.
Details; https://www.adaptivemobile.com/blog/simjacker-next-generatio...
A better title IMHO;
SIM Vulnerability leads to information disclosure via malicious SMS.
Seems like a highjack may be possible actually... Here is a list of other things they listed they can do with the simjacker exploit that goes beyond simple data exfiltration:
> PLAY TONE
> SEND SHORT MESSAGE
> SET UP CALL
> SEND USSD
> SEND SS
> PROVIDE LOCAL INFORMATION
> Location Information, IMEI, Battery, Network, Language, etc
> POWER OFF CARD
> RUN AT COMMAND
> SEND DTMF COMMAND
> LAUNCH BROWSER
> OPEN CHANNEL
> CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
> SEND DATA
> GET SERVICE INFORMATION
> SUBMIT MULTIMEDIA MESSAGE
> GEOGRAPHICAL LOCATION REQUEST
But from what I gathered from cursory search, RUN AT COMMAND isn't supported by most devices. (ETSI TS 102 223 states "This clause applies if class "b" is supported by the terminal and enabled by the subscriber through the terminal. ")
Google and Apple can't do anything to mitigate this.
Edit: The following is incorrect. SIM cards are self-contained computers. Among other things, they're responsible for encrypting and decrypting communications between your phone and your carrier. This means that a SIM card will see the contents of a message before your OS or other hardware in your phone does. These exploits should work just as well against "dumb" phones as smartphones because they're not attacking the actual phones.
This API exists because SIM cards are self-contained computers; they need a way to communicate with everything else.
That's not the case. SIM cards hold the permanent key for authentication and perform key derivation. Mobile data doesn't pass the SIM card; it does not perform the encryption and decryption.
Dumb/feature phones saved SMS messages to the SIM card as simple cards have a limited amount of memory that is dedicated to a crude phonebook and SMS store.
Smartphones and smarter feature phones (can) use their own storage for that. You could disable/enable the phonebook/save to SIM features on feature phones and early smartphones.
(I'm talking about win CE and symbian phones being early smartphones here)
I obtained a low-tech phone for SMS and phone calls. I then turned my Samsung Android back into a PDA by removing the SIM chip.
I explain to my clients when they express astonishment at my low-tech phone that I am protecting their security, as I have the PDA sync with my Exchange Server, where I keep sensitive info to provide them support and I do not allow the low-tech phone to access my Exchange Server.
I also tell them that I had based my decision on the track records of Google, Apple, Verizon, etc. in regards to security.
Nothing is perfect, but at least my attack surface is lessened.
Isn't connecting to Microsoft being online?
Unless you're running exchange on an OFFLINE, LOCAL NETWORK your outgoing traffic to Google will contain metadata and you're not stopping anything by removing the SIM card other than inconveniencing yourself.
It still calls home, it's still online. Lock down Microsoft and Google's IPs permanently, outbound, on all networks you use or this won't work.
I run my own servers, so no, no connection to Microsoft except for updates.
Google is not involved, my DNS is my own server with the base servers as their lookups, not Google DNS. My PDA only connects over WiFi, since there is no SIM.
So unless Google is purposely getting involved with a WiFi connection to a local, private server, they are not involved, either.
To further clarify, I have been a dev for 30 years, mostly the Microsoft arena, and more recently, Linux. I also run a service business for small business clients, and eat my own dog food. In so doing, I have off and on again been an MSDN member, which included licenses (for development) of the Microsoft technology stack, which until recently included their Small Business Server product. That is how I got my start.
I have run my own Exchange Server(s) since 1995. And DNS, DHCP, etc.
I would personally much rather have my text messages and VoIP phone calls encrypted (usually iMessage and FaceTime audio, but Signal and WhatsApp are popular with Android users), which AFAIK is only available on smartphones, than split out calling and texting from a primary phone.
I’ve also heard that Apple doesn’t allow the baseband direct access to the application processor’s memory, but I don’t know how true that is. There doesn’t seem to be much thought given to this on Android phones.
so many companies who offer these services since forever. verint, gamma, etc. etc.
1 or 2 binary sms sent and you have someones phone depending on your flavor of attack.
sim card runs java. with sim pin you can even just send apdu requests to read its filesystem...
don't know why now all of a sudden this is a hot topic. it's the whole design of the mobile infrastructure to be able to do this...
just think about it:
if you clone someones phone via such method, and they get called, you get called. if you then pickup within ~1 second of them picking up, your speaker is enabled but microphone is disabled so they can't hear you snooping in on them.... that is by design.
between carriers everything is unauthenticated, to enable this at global scale... by design.
There doesn't seem to be a lot of specifics here. Does this mean I can send anyone a text that has some magical character in it to trigger this S@T Browser to execute arbitrary AT commands? Or is this some kind of special SMS like a type-0 SMS or something?
That SIMs are expoitable was to be expected, and is another nail in the coffin of SMS 2FA. I'm just worried about the isolation between SIM and CPU - delivering a crypto locker via SMS would be an impressive feat, but wreak absolute havoc.
Unsurprising, and I don't think it's a backdoor like ME, but just plain incompetence (or malpractice). It's only a matter of time and location when a exploit like this is discovered. I highly recommend this hilarious paper, Fuzzing the GSM Protocol (https://www.ru.nl/publish/pages/769526/scriptie-brinio-final...). By feeding the phones with random GSM data with a Software-Defined Radio, it showed most dumb and smartphones have serious memory corruption issues. Just starts reading from Page 27, Chapter 5.
* Read Memory
> On two different phones it was possible to read out (part of) the phone memory. The most interesting of these phones was the Nokia 2600, where a text message would get stored that shows a seemingly random part of the phone memory upon opening. Closing and reopening of the same message
would display a different part of the memory, sometimes also causing a reboot of the phone.
> On the Samsung SGH-D500 certain messages would show a strange sequence
of characters when opened, but it was unclear to us where it came from. The same message would show up differently when sent multiple times, so we expect it came somewhere from memory.
* Reboot
> Seven of the sixteen phones could be forced to reboot remotely. When rebooting the network connection would be lost temporarily.
> In all but two cases reboots were caused by a discrepancy between a length field and the actual length of that field in the message, making it likely that the behaviour is caused by a buffer overflow.
* Long time DoS
> For the iPhone 4 and HTC Legend the attack with the highest impact was found. By sending a carefully crafted SMS message the phone would not display anything and also stop receiving any SMS messages altogether. In addition on the iPhone it was impossible to change network after the attack.
* Icons
> SMS offers the ability to notify a user that a voice, fax or email message is waiting to be retrieved. According to the specifications every cell phone has to show an icon on the screen when this happens. Problem is that these icons are hard to remove when they were activated illegitimately. Even though this is not an actual security risk it can be quite annoying.
(lol!)
* Unable to delete messages
> A rather annoying bug manifested itself on two cell phones, the Sony Ericsson T630 and Samsung SGH-D500. [...] They could not be viewed or deleted in any way, but they still occupied space on the SIM. The only way to delete these messages was to put the SIM in a different phone and delete them there.
> Problems like these can be quite dangerous.
Nowadays, it's an extremely dangerous problem in the age of smartphones, when the baseband processor contains proprietary, unauditable code, with no isolation between the baseband processor and the main system.
> no isolation between the baseband processor and the main system.
There’s barely any connection between the baseband processor and the application processor on a smartphone.
Notice for all your examples, it’s denial of service for the functions of the baseband processor by a bug in the code run by the baseband processor. It doesn’t get access to the data available to the application processor. Except for the oldschool feature phones, where there is no separate application processor so a bug in the software run by its processor can cause the phone to reboot or reveal the memory accessible by that processor.
Barely any connection? Like if there is only a single wire, it's fine because the data exfiltration / os manipulation takes long? Oh please. These two processors are interconnected and most of phones run some unknown untrustworthy software on both of them.
Which has absolutely nothing to do with isolation. The two processors are not ‘interconnected’, they are separate and can only communicate through defined interfaces. That’s isolation. If there is a backdoor on one processor that grants access to the other the problem is that backdoor and not some nebulous interconnection.
If your computer runs a backdoor that grants access to anyone who can access it over the network, the problem that someone from China can now control your computer is not the fault of the Internet. It’s the fault of that program.
And also ‘most of phones’ in the article is ‘Android phones’ and then it’s watered down even more to ‘Samsung Galaxy phones’. ‘In most devices, for all we know, [...]’. No.
Well they do not read directly each other's memory, but still the baseband processor is electrically connected and so can exfiltrate data from or manipulate the application processor. On the other hand, if you have two phones glued together, one for voice/sms, one for internet access via independent network without microphone, the first one cannot exfiltrate/manipulate the second one and the second one cannot record your voice. That is isolation.
No, because there is a connection between both of these devices and all other devices on the phone network and the internet. It’s just bullshit and on top of that overcomplicated nonsense no one is going to use.
I'm talking about physically isolated computers connected to separate networks, not connected to the same untrusted network. The meaning of the isolation is that while operator of each network has one class of data (voice/sms vs. the internet), neither has both of them.
Unless firmware has changed dramatically, then unless you have the engineering firmware and if they have an SS7 link, you won't even know you received anything until they choose to do something intrusive.
SMS 2FA can bite you in the ass. Since the phone is with you all the time, there is a higher chance of something happening to it that makes it damaged enough for you to not be able to use it. Now, you are in possession of the password, the IP is the same as the one you signed up with, you have access to your e-mail, but you still cannot access your account. You contact support, you tell them the same thing. They will tell you they cannot help you because "security", and do nothing. You are now unable to access your account, most likely forever.
This happened to me. Any experiences or thoughts? Is it worth the risk? How do you prevent this scenario besides not using 2FA from happening? Personally I would choose to not use it though.
I used to have Ting for phone service, you can require mfa/lock number porting, disable or activate or change a device/sim, toggle voice sms and data and forward calls from their multi factor authenticated dashboard. Requested an extra sim and kept a dumb cdma phone lying around in case I broke lost or someone stole my phone. Also used an app to sync texts in case of broken scren. Now I use verizon and keep a spare cdma device, you can change devices from their web portal in combination with a message syncing app. You could also port your # to google voice for similar features but I assumed google will scrap it with little notice so I have not.
The reason why companies love SMS 2FA is because most people keep their phone number. In a scenario like you described, most people would walk into a <whatever their provider is> store, show ID, and get a new SIM.
This way, the company using SMS 2FA has effectively outsourced this recovery path to the phone companies. Instead of handling recovery (and potentially liability for getting it wrong) themselves, they can just tell you to go recover the phone number. And when the phone company gets it wrong, you get stuck in a nightmare of finger-pointing instead of having a clear culprit to hold responsible.
Oh, I just noticed I typed "SMS 2FA". My bad! In that case, you are correct, but in my particular case I lost all data related to Google Authenticator, including the shared secret. Customer service refused to help, despite having had the same phone number, because it was not SMS-based 2FA. Sorry! I should not get on HN when so mentally exhausted. :(
We use Google Authenticator too at work, I had to go to IT in person to get a new one when I got a new phone. It makes sense to refuse to give you based on solely the phone number. However, there should be a process to renew these credentials, phones die too.
Because then in most cases you bypass 2 factor authentication through sms for people's accounts. And then steal their social media handles or anything. Sites like Twitter only allow SMS 2 factor authentication, so currently no way to avoid the issue, which is why even the CEO was just hacked. One has to assume they are working on real 2 factor authentication. That will help people in the know stay protected, but the average person or simply enables sms 2 factor authentication will still be vulnerable until a company like Apple or something automatically offers 2 factor app for all sites that support 2fa.
I've been mitigating this vector best I can by associating any of my accounts that only offer 2FA via SMS to a Google Voice number / Google account that can only be accessed via Token/Backup codes.
Sim-swap attacks, forging communications from some one (snag CEO phone; send message "wire ten million dollars now to china; we're acquiring a company!").
This is not about stealing someones subscriber identity but about having unrestricted access to some ancient looking software running on the sim card. TBH it looks like this is not really an exploit but working by design if access is actually unrestricted. SMS is used as an alternative transport for the software (S@T Browser) and apparently access should be limited to entities providing a 3DES key ... But i just skimmed over some documents so don't take my word for it ;)
Leaked emails/passwords from exploited sites + the ability to do 2fa or trigger a password reset via phone verification. People's bank accounts, bitcoin exchange wallets, etc have been hacked like this.
The SIM Application Toolkit is fairly low-level, so has access to a few other functions, like making calls or opening applications or updating firmware. Whether these functions are permitted by the phone depends on the manufacturer, but they claim that the Cell ID & IMEI functions are widely-supported.