Putting remotely executable apps on SIM cards seemed like a good idea at the time
Last week we learned about a truly horrifying exploit known as SIMjacking can track your location without you knowing it via a stealthy text message that you’d likely never see in your messages—and that’s just the not-so-bad part.
It only gets worse.
Before getting to the keep-you-up-at-night frightening parts of SIMjacking, we have contacted our carrier partners and learned the SIMs used in Sky ECC devices are not vulnerable to this exploit. Which is the good news. The bad news is your other mobile devices—even IoT devices—might be vulnerable because SIMjacking has nothing to do with your device or your mobile OS. SIMjacking uses something you have no choice over—the SIM your carrier gives you for your phone.
When software with good intentions is abandoned and later exploited
According to Ars Technica—and their source Adaptive Mobility—the problem lies in software that sits on your phone’s SIM card (did you even know your SIM card could have software on it?) that was developed to do handy things like get data for account balances for your carrier. Seemed like a great idea at the time—give carriers easy ways to contact a subscriber’s phone push/pull data and other remote commands. Turns out when you build better systems later on and forget about the old busted stuff distracted by the new hotness, bad things happen.
The problem lies in a wee piece of software called the S@T browser (pronounced sat) that could be used to send commands via coded text messages from the carrier. The commands were part of public network specifications, not updated since 2009 mind you, so it’s not like this was secret and leaked. We’ve always known about the commands, it just took some clever person to figure out, “hey if we do this…we can do all sorts of stuff to devices…”.
The only people supposed to be able to use the S@T browser were carriers, but like trying to create a backdoor into secure messaging, it hasn’t worked out that way. According to Adaptive Mobility, SIMjacking was developed by a private “threat actor” to allow governments to get location and other data on people they wanted to keep tabs on.
Yes, we’re talking about covert, warrantless government surveillance of individuals. Again.
And the best part, because this attack focuses on one of the most agnostic parts of the mobile phone system—the SIM card itself, the attack has been demonstrated as successful on almost all models of phones on all mobile operating systems.
And all someone needs is your mobile phone number to track you…and other bad stuff.
How SIMjacking works
The Hacker News provided this diagram for the process:
Here’s how it works:
- Bad Guy Device 1 sends a specially coded SMS to the target phone
- The command (for location tracking) asks for location information (Cell-ID)
- With the Cell-ID in hand, another command sends the data to Bad Guy Device 2
To track someone the Bad Guy sends several requests over time to map which cell towers the target phone/person are connecting to. With enough Cell-ID data you can build a pretty good map of where someone is at any given time (within about 100 meters). This is bad, but it’s not the worst part. There are a bunch of other commands that can be sent to phone via S@T, like:
- Play tone
- Send short message
- Set up call
- Send USSD
- Send ss
- Provide local information (including location, battery, network, and language)
- Power off card
- Run at command
- Send DTMF command
- Launch browser
- Open channel (cs bearer, data service bearer, local bearer, UICC server mode, etc.)
- Send data
- Get service information
- Submit multimedia message
- Geographical location request
Meaning it’s possible to:
- Remotely manufacture texts that you didn’t actually write, but looks like you did
- Start a call from your phone to listen into what’s going on around the person
- Disabling the phone by powering off the card (which could be used to limit communications during protests, targeting key political dissidents, without taking down the whole cell network)
- And do other things on a target phone that would compromise location, safety, or information on the device.
As Dan Guido from security firm Trail of Bits put it in the Ars Technica article its:
“Pretty f***ing bad”
“This attack is platform-agnostic, affects nearly every phone, and there is little anyone except your cell carrier can do about it.”
How Sky ECC stops SIMjacking
SIMjacking is bad. Really bad. Beyond the whole spying on your location and controlling your device problems, the fact that it leverages something you have no control over—your SIM—makes it so much worse.
As we were analyzing this exploit internally, we mapped out the worst-case “what if…” scenarios and we’re confident it would be extremely difficult to effectively use this exploit on a Sky ECC device because:
- You need the phone number connected to the SIM card for this to work. The carriers have them, of course, but we don’t map the phone numbers to SIM cards in our management system.
- Phone numbers aren’t displayed on Sky ECC devices. Not only do we not know the phone number, neither do our users (meaning you can’t accidentally expose it).
- We don’t know exactly who has which SIM, with or without the phone number. This is part of the privacy and anonymity built into Sky ECC. While we have a connection between the Sky ECC ID and a SIM card, we don’t know who that person is. If asked “We need the ECC ID, SIM number, and phone number for John Smith” … we truly don’t have the information.
Our carrier partners have confirmed they don’t have the S@T browser on their SIM cards. This is great for not just Sky ECC users, but also the customers of those carriers. Sadly, there are billions of devices that are susceptible to SIMjacking and we can only hope the recent attention on SIMjacking will encourage carriers to change/update/fix this vulnerability.