Submitted via IRC for Bytram
1B Mobile Users Vulnerable to Ongoing 'SimJacker' Surveillance Attack
More than one billion mobile users are at risk from a SIM card flaw being currently exploited by threat actors, researchers warn.
A vulnerability discovered in mobile SIM cards is being actively exploited to track phone owners’ locations, intercept calls and more – all merely by sending an SMS message to victims, researchers say.
Researchers on Thursday disclosed what they said is a widespread, ongoing exploit of a SIM card-based vulnerability, dubbed “SimJacker.” The glitch has been exploited for the past two years by “a specific private company that works with governments to monitor individuals,” and impacts several mobile operators – with the potential to impact over a billion mobile phone users globally, according to by researchers with AdaptiveMobile Security.
“Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage,” said researchers with AdaptiveMobile Security in a post breaking down the attack, released Thursday.
They said they “observed the hackers vary their attacks, testing many of these further exploits. In theory, all makes and models of mobile phone are open to attack as the vulnerability is linked to a technology embedded on SIM cards.”
The attack stems from a technology in SIM cards called S@T Browser (short for SIMalliance Toolbox Browser). This technology, which is typically used for browsing through the SIM card, can be used for an array of functions such as opening browsers on the phone as well as other functions like setting up calls, playing ring tones and more.
(Score: -1, Offtopic) by Anonymous Coward on Friday September 13 2019, @09:02AM
WIN CASINO GAMES WITH THIS ONE WEIRD TRICK
they never gonna hack me
(Score: 0) by Anonymous Coward on Friday September 13 2019, @09:43AM (4 children)
Is this bad? I mean, this sounds bad.
But then again I always thought Stagefright was game over but the Android phone botnet armageddon failed to materialize.
(Score: 0) by Anonymous Coward on Friday September 13 2019, @10:29AM (3 children)
This is bad if you are the target of a nation state. Do you work for the EFF? Travel to China? etc.? Then you may have exposed yourself and others to risk.
Joe Rural who never leaves town has little exposure from this.
(Score: 0) by Anonymous Coward on Friday September 13 2019, @10:36AM
Pull the SIMs. Travel in airplane mode only.
(Score: 2, Insightful) by Anonymous Coward on Friday September 13 2019, @10:42AM (1 child)
Just because this particular attacker only used it against high profile targets doesn't mean it can *only* be used against high profile targets (or that those targets somehow don't matter).
Now that the cat is out of the bag, it can potentially be used against anybody, for anything. The question is just what can it do, and can it be fixed? Tracking locations isn't that interesting for most attackers. Google already does it and hardly anyone cares. Intercepting calls, maybe. Intercept enough calls and you'll dig up something juicy, blackmailers could use it. Playing ring tones, an obnoxious prank but not really much value to criminals there either.
Probably the most useful thing ordinary criminals could do with this is hacking SMS to bypass two-factor authentication that uses SMS as one of the factors (of course there are already ways to do it, but this might be easier).
(Score: 0) by Anonymous Coward on Saturday September 14 2019, @03:39AM
Well, criminals - per the original release 2 years ago - would convert to cash by making targets call or sms pay-to-reach numbers. That's such a direct cash conversion that criminal elements will almost certainly not try for anything more complex.
High value targets, per above, are the exception. If you're an oil exec you should be wary of local paramilitaries trying to get you, and this would be one way they would track a number's location. Etc etc.
Low value targets are simply not worth dedicating time and resources to extract from, unless it's done en masse.
(Score: 0) by Anonymous Coward on Friday September 13 2019, @12:12PM (1 child)
Is there anyone surprised by the reveal?
(Score: 2) by Rosco P. Coltrane on Friday September 13 2019, @02:10PM
More generally, billions of users willingly carry a surveillance and dataraping device in their pockets, and they're being put under surveillance and dataraped by a variety of governmental and private actors, unsurprisingly.
(Score: 2) by JoeMerchant on Friday September 13 2019, @02:10PM (3 children)
Is the article helpful enough to identify if a particular SIM card is vulnerable, and/or has been compromised?
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by Rosco P. Coltrane on Friday September 13 2019, @02:13PM (2 children)
Lazy and probably accurate answer: assume yes. If not, you're being shafted in many other ways anyway with your cellphone. So yes.
(Score: 2) by JoeMerchant on Friday September 13 2019, @03:10PM (1 child)
Oh, c'mon, the scare-bar only claims one billion vulnerable, out of what, like five billion SIM cards in use worldwide? And, actually compromised, that's going to be even less.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by Freeman on Friday September 13 2019, @03:49PM
That's still 1 out of 5 or 20% of all SIM cards. Is this an old bug or a current "feature"?
From the linked article:
So, it sounds like it's not terrible. Still, if you'd have reason to be worried about the authorities in any given nation you're visiting. I would highly recommend getting a burner phone for said country or something. Better yet, don't visit said country.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 1) by messymerry on Friday September 13 2019, @02:22PM (1 child)
Arrrr the supremely annoying telcos going to issue replacement fixed SIMs?
Methinks not... dot dot dot
;-D
Only fools equate a PhD with a Swiss Army Knife...
(Score: 0) by Anonymous Coward on Saturday September 14 2019, @03:41AM
Not fixable, in the same way as your BIOS wasn't fixable. You could wipe it, but other hardware depends on its functionality.
Sorry!
to make SN accept this post.
(Score: -1, Spam) by Anonymous Coward on Friday September 13 2019, @03:38PM
Blowhard lazy unskilled big talker (but no action in provable work done by "it") barbara hudson fails on C and C++ inferiority to P a s c a l on string processing security + speed advantage https://soylentnews.org/comments.pl?noupdate=1&sid=33430&page=1&cid=889635#commentwrap [soylentnews.org] also caught in lies while quoted stalking others by unidentifiable anonymous posts at the end of that post.
(Score: -1, Troll) by Anonymous Coward on Friday September 13 2019, @05:49PM
Blowhard lazy unskilled big talker (but no action in provable work done by "it") barbara hudson fails on C and C++ inferiority to P a s c a l on string processing security + speed advantage https://soylentnews.org/comments.pl?noupdate=1&sid=33430&page=1&cid=889635#commentwrap [soylentnews.org] also caught in lies while quoted stalking others by unidentifiable anonymous posts at the end of that post.