STK, A-OK? Mobile messaging attacks on vulnerable SIMs

Our Chief Technical Officer, Cathal Mc Daid recently presented his paper ‘STK, A-OK? Mobile messaging attacks on vulnerable SIMs’ at the world-renowned Virus Bulletin international conference. We were delighted to contribute to this year’s Virus Bulletin Conference which featured the latest and best research on malware, malicious actors, and threat intelligence. We participated virtually this year with security researchers from around the world, the event brought together the brains of IT security from around the globe to learn, debate, pass on their knowledge and move the industry forward.

Cathal shared details of his latest research on mobile messaging attacks, looking back at vulnerabilities like Simjacker, investigating what other types of mobile messaging attacks may be possible, examining how the industry responds to disclosures of these types of vulnerabilities and how we can protect against future threats.

You can watch the full on demand presentation that is available now from Virus Bulletin.

Read some of the highlights from his presentation below.

Simjacker, a recap

Two years ago, at VB 2019 AdaptiveMobile Security revealed details about the Simjacker vulnerability. The attacks associated with Simjacker exploited a vulnerability in a specific UICC (SIM card) application called the S@T Browser. This application was being used surreptitiously by surveillance companies to track the location of tens of thousands of mobile phone users. Even more worryingly, the vulnerability itself was present in several hundred million SIM cards globally. The impact of Simjacker at the time could not be underestimated. Since then we continued our research to better understand, defend and protect against these types of vulnerabilities and associated attacks in the future.

Could there be other similar mobile phone security vulnerabilities?

To assess the potential for other similar types of UICC application vulnerabilities we looked at the delivery mechanism for the Simjacker attacks which were Binary SMS.

Some of the common uses of Binary SMS are for delivering missed call notifications or to change roaming settings. A smaller percentage of these Binary SMS messages are sent directly to UICCs (SIM cards) and used to make changes to SIM card settings. Binary SMSs are used more than one might think, on the delivery side, and the volumes of Binary SMS traffic are quite regular. Based on our analysis of three mobile operators’ traffic, we observed that binary SMS accounted for between 35-39% of the traffic.
Malicious uses of Binary SMS

In the last 20 years, there have been regular disclosures of vulnerabilities associated with Binary SMS. Initially the vulnerabilities that were reported were quite simple, mostly leading to denial-of-service attacks but more recent ones such as Simjacker are far more complex and can be used to extract data from phones.

Some of the Binary SMS vulnerabilities reported in recent years have received media publicity such as Curse of Silence, SMS of death, MONKEYCALENDAR to name a few. The vast majorities of these attacks target the device or the OS to do denial of service type attacks but some of the more recent Binary SMS type attacks such as Simjacker and the WIB attack, have targeted the SIM card itself to perform more advanced logic, this gives greater scope for exploiting subscribers.

When should we worry about these types of vulnerabilities?

Simjacker and other vulnerabilities such as WIB attack, used Binary SMS that were directed to the specific vulnerable UICC (SIM Card) application. Our researchers investigated what other UICC (SIM card) applications are vulnerable by looking at certain security parameters. Full technical details and methodologies are available for download in the research paper here.

The main technical parameter we worry about is an Security Parameter Indicator (SPI) value in the encoding of the message. If the first five bits of this SPI value are set to 0s this means there is no security, and the UICC will accept binary SMSs from any source.

Are there more of these vulnerable SIM card applications?

We did an analysis over a yearlong period 2020/21 of global inbound roaming traffic to explore volumes of Binary SMS traffic being sent to vulnerable SIM cards which had the first five bits of SPI set to 0s.

While known vulnerable S@T Browser and WIB UICC applications made up most of this traffic, there was an additional 12.95% of traffic from other UICC applications that are also potentially vulnerable to attacks. Within that 12.95% of other applications, we identified 30 unique potentially vulnerable UICC applications, active in 50 operators from 39 countries, with zero security set.

What mobile messaging attacks could be achieved and at what scale?

Realistically most of these vulnerable applications are used for simple notifications and contact exchanges and while some abuse is possible, the attack types are rather limited. However, there are some vulnerable UICC applications that have access to much more sensitive information and could be exploited for location tracking, extract information such as IMSI, SIM key or they could change roaming settings. We estimate the total probable number of subscriber SIM cards potentially affected by all of these vulnerable applications is in the region of 100 million.

The good news is that during our investigation we have not seen any of these UICC applications being actively exploited. We have communicated the findings of our research with all of the identified affected mobile network operators and gave them recommendations on how to improve their UICC application security to protect their mobile subscribers.

Which brings us to the next topic, our experience of how attackers and the mobile industry reacted to the original Simjacker vulnerability disclosures.

A look back: How we shared our Simjacker findings with the industry

We wanted to alert the mobile operators to this serious Simjacker vulnerability to safeguard vulnerable subscribers around the globe.

At the time Simjacker was being actively exploited to track tens of thousands of people and the scale of the vulnerability was worrying. In our research, we saw S@t Browser in use in 61 operators in 20 countries with up to a billion subscribers. There may also have been other unknown operators that still had the S@t Browser technology but in a dormant state.

We opted for a staged communication approach as outlined below.

Our staged approach to inform industry of Simjacker vulnerability

1. June -> Sept 2019

Firstly, we used a GSM Association Coordinated Vulnerability Disclosure (CVD) Programme to inform all the mobile industry about Simjacker and shared the information with our direct contacts.

2. Sep 12th, 2019:

Secondly, as some mobile operators are not very active in the GSM Association (CVD) group we did an initial ‘Public notification’ with publicity to notify any unaware mobile operators – we gave limited technical detail at this time, so attacks could not be replicated. This public release directed mobile operators to GSMA for more details.

3. Oct 3rd, 2019

Finally, once the community had over 4 weeks to implement protections, we did a full public Technical Information release.

Did Surveillance Companies react faster than some mobile operators to disclosure of security vulnerabilities?

From our analysis it appears that some mobile operators only reacted to the public release on Simjacker, rather than reacting during the ‘non-public’ industry notification phase of the vulnerability of the S@t Browser application. Going public with this vulnerability seems to have been the correct decision to ensure these other mobile operators responded to the vulnerability quickly.

Similarly, we analysed the behaviour of the Simjacker attackers in two affected mobile network operators. Prior to the public release, we see the attackers tracking lots of different subscribers with Simjacker. However, in the days prior to the public release we see key changes in the attacker behaviour as they vary their activity and reduce the volumes of attacks. It would seem the attackers have been alerted of the disclosure and have changed their approach. This makes us question; how much leakage of information is there to these attackers in the ‘non-public’ industry notification phase? And also, we see the speed of their response, the attackers will try to stay one step ahead with the agility of their attacking behaviour making them a difficult adversary for a sometimes slower responding mobile community.

Simjacker Attackers: how to understand, predict and defend

The unfortunate truth is that these attackers are not going away. They are well-funded surveillance companies that are intelligent, very determined and when they meet an obstruction in their route to attack, they will persist until they find another path to their target.

To protect subscribers, threat intelligence is key. We will continue to research, we need to know the capabilities of the mobile network, to better understand the attack types, analyse past attacking behaviours and have a pure security focus to predict and defend against these sophisticated attackers.

Those were some of the highlights of the presentation get access to the research

Access to Cathal’s full presentation at Virus Bulletin is available on demand here

You can download the slides of his presentation here

Read his Research Paper published by Virus Bulletin, STK, A-OK? Mobile messaging attacks on vulnerable SIMs

For more information, see our Simjacker FAQ page as well. You may also be interested in reading our post on the Pegasus spyware technology.