AdaptiveMobile Security have uncovered a new and previously undetected vulnerability and associated exploits, called Simjacker. This vulnerability is currently being actively exploited by a specific private company that works with governments to monitor individuals. Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands. The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated. However the Simjacker attack can, and has been extended further to perform additional types of attacks.
Reasons for Open Wireless
It is crucial to user privacy +
Mobile phones are tracking beacons. Not only do they broadcast the location of their users with some degree of accuracy whenever they’re turned on, but phone companies keep records of every text message and call you make with them. Just as alarmingly, many wireless carriers think it is okay to record every web page you look at by default to use for advertising (or possibly other) purposes.
So smartphones are actually spy phones. But they don’t need to be. If we had enough open wireless networks available, we could change that. Startup companies—and open source projects—could make devices that used the open networks without reporting your location and communications to phone companies. Devices that skip smoothly from one open wireless network to another don’t provide the kind of granular information about your intimate activities that the current single-carrier systems do. We have two choices: let mobile privacy stay dead forever, or build an alternative open wireless future.
More details are on https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile.
So basically Simjacker requires the S@T Browser on the targeted phone, and a mobile operator allowing special SMS.
The S@T Browser (SIMalliance Toolbox Browser) can be transparently installed/removed/enabled/disabled by the mobile operator. The same is true for these special SMS that include commands for the S@T Browser.
In my opinion, this shows two things:
- You have never full control over your phone or smartphone since there are many proprietary sensors and chips in it. Just installing and hardening LineageOS doesn’t change this.
- Since Simjacker requires a mobile operator that allows SMS containing commands, and installs/enables the toolbox on targeted phones, end users can’t do much about it. Likely, most people never heard about S@T Browser before, and they aren’t able to detect it on their phone.
Hopefully, they release more details in future.
P.S. There is already CVE-2019-16256 tracking Simjacker for Samsung phones: https://nvd.nist.gov/vuln/detail/CVE-2019-16256
You have never full control over your phone or smartphone since there are many proprietary sensors and chips in it.
Do you think this is also true for the Librem 5 phone? I’m not sure if it’s 100% free of proprietary bits here and there, would those be enough to make this vulnerability (or similar) a real threat for this device?
Does it come with an open hardware SIM card?
From their FAQ page:
Are all hardware components running completely free software, with the source code available?
[…] The mobile baseband will most likely use ROM loaded firmware, but a free software kernel driver. We intend to invest time and money toward freeing any non-free firmware.
Will this be an “open hardware” design?
Our intention is to have everything freed down to the schematic level, but have not cleared all design, patents, legal, and contractual details. We will continue to advance toward this goal as it aligns with our long-term beliefs.
They also have information available about the hardware (although they mention is subject to updates) listed here.
It doesn’t seem to be open hardware but I’m just not familiar at all with hardware specifications, the distributors and manufacturers so I’m afraid this is as far as I can gather…
So the summary here is that it isn’t 100% open hardware/OSS. Even in case of having 100% open hardware/OSS, there is still the proprietary SIM card.
In the United States, it has been disabled on T-Mobile, AT&T, and Sprint, so most users in the US are not affected by this flaw. I don’t think we know if it has been disabled on Verizon because they did not give as much of a definitive statement regarding this issue.
I would be interested to know if anyone has information about carriers in other countries. How many people are actually affected by this issue in the first place?
In Finland all carriers have reported to not be affected.
According to ZDNet, 800 SIM cards were tested by SRLabs. 9.1% of these SIM cards were vulnerable. Affected mobile operators are mainly located in the MENA, Eastern Europe, and Latin America regions.
And there is a new attack now, called WIBattack.
Both and similar attacks show that proprietary SIM cards are basically out of control of their end users.
Simjacker – 29 affected countries released: https://www.adaptivemobile.com/blog/simjacker-frequently-asked-questions (see question 3 for a world map).
– In Europe, at least 1 mobile operator in Italy, Cyprus, and Bulgaria is/was affected.
– At least 61 mobile operators are/were affected worldwide.
– ~861 million SIM cards are affected according to the report.