'Simjacker' Flaw Threatens 1 Billion Phones Worldwide

SIM card going into smartphone.
A SIM card going into a smartphone. (Image credit: Foto.Touch/Shutterstock)

We're not halfway through September, but we've already got a prime candidate for Best Branded Bug of the Year.

Meet Simjacker, a vulnerability in how SIM cards for smartphones handle phone information. It's got its own logo (a mean-looking SIM card). It's got its own website. And its finder, Dublin-based Adaptive Security, evokes Dr. Evil in saying the flaw "could extend to over 1 billion mobile phone users globally." 

So what is it? Well, Simjacker does not involve SIM-swapping, aka SIM-jacking, two common terms for when crooks talk a phone company into tranferring your mobile phone number to their SIM card so they can break into your online accounts. (Twitter CEO Jack Dorsey may have been a recent SIM-swap victim.) Nor is Simjacker a threat to most people, at least for right now. 

MORE: Best Android Antivirus Apps

What it does is let specially crafted text messages silently force phones to text their geographical locations to other phones. It's being used by an unnamed spyware firm to track high-value targeted individuals on behalf of intelligence and police agencies around the world. 

The targeted people have no idea the phones are giving up their locations. Of course, there are other ways to figure out a phone's location (American authorities can often get it from the phone companies), but this method is quick, easy and persistent once you get it set up.

How Simjacker works

Simjacker's modus operandi is pretty simple. An attacker's phone, or an attacker's computer rigged with SMS-sending hardware, sends a specially crafted text message to the SIM card on the targeted individual's mobile phone. 

Instructions in the text message make the SIM card retrieve the phone's location and device IDs, then send that data to another device controlled by or working with the attacker. In that way, any specific person whose mobile phone number is known to the attacker can be quickly located.

An example of a Simjacker attack.

An example of a Simjacker attack. (Image credit: Adaptive Technologies)

According to Adaptive Security, this works because of the SIM Application Toolkit (STK), a GSM standard that can give SIM cards a lot of power over the phones that use them. 

Carriers can implement various parts of the toolkit according to their needs, but one commonly used tool is the S@T browser, which lets SIM cards access the internet on their own so that the STK can be updated over the air by specially composed text messages.

You may cringe at the prospect of phones secretly installing software on command from random texts. And you'd be right. But the S@T browser, first developed in 2009, has largely been forgotten as faster, more secure communications have been deployed, says Adaptive Security -- and yet it's still present on millions of phones.

Right now, says Adaptive Security, Simjacker is being used to only track locations, but other capabilities in the STK could let other malicious SMS messages make phone calls, disable the phone, open a mobile browser or even play ringtones.

What to do about Simjacker

Fortunately, you don't really need to do anything to combat this possible threat. The attack, as Adaptive Security says, requires a "[broad] range of specific SMS , SIM Card, Handset, Sim Toolkit , S@T Browser and SS7 knowledge to craft."

Adaptive Security expects more attacks of this type, but it's already working with its mobile-carrier customers around the world to detect and block Simjacker attacks, and it's passed on the information to the GSM Association to implement more security in the S@T browser.  The company plans to present more details at the Virus Bulletin conference in London in early October.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
Victims of Identity Theft
FTC says Americans lost $12 billion to scams last year and these were the worst ones — here's how to stay safe
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
Latest in News
Samsung HW-Q990D soundbar
Samsung’s flagship 2024 soundbar just got bricked by a new firmware update — don’t update
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Erin Doherty as Briony Ariston and Owen Cooper as Jamie Miller in "Adolescence" on Netflix
Netflix just got a gripping crime drama show that’s already hit No. 1 — and it’s 100% on Rotten Tomatoes
Leslie Bibb in The White Lotus season 3
Last night's 'White Lotus' cameo is less surprising than you think
Garmin Fenix 8 Sleep
New data reveals the average Garmin sleep score — do you sleep better or worse than most people?
Miele Guard L1 smart vacuum cleaner
Miele has launched its first vacuum cleaner with Wi-Fi — and it’s a game changer