Security Week 38: tracking of mobile devices via SIM-card

When we talk about vulnerabilities in mobile devices, we are usually talking about problems in Android or iOS. But do not forget about the radio module and SIM-card, which are essentially separate computing devices with their own software and great privileges. Over the past five years, vulnerabilities have been widely discussed in the SS7 protocol, used for interaction between telecom operators and built on the principle of participants' trust in each other. Vulnerabilities in SS7 allow, for example, to track the location of a subscriber or intercept SMS with one-time authorization codes.



But SS7 requires specialized equipment or a compromised carrier. AdaptiveMobile Security experts found ( news , a detailed description ) an active attack on mobile phones and IoT devices, which requires only a GSM modem. The attack exploits a vulnerability in the SIM Toolkit, a set of extensions to the functionality of a regular SIM card. Using one of the components of the SIM Toolkit, known as S @ T Browser, you can get the coordinates of the subscriber and IMEI device, knowing only his phone number.









According to AdaptiveMobile Security, the attack works as follows: a prepared SMS is sent to the victim’s phone, which uses the S @ T Browser functionality. In normal mode, this program implements a menu system for communicating with the operator - to request a balance and the like. Attackers use the capabilities of this program to request IMEI and device coordinates for the nearest base stations. Data in the form of SMS is sent to attackers, and the owner of the phone does not see any incoming or outgoing messages.



S @ T Browser can be considered an obsolete technology from the time when mobile phones were not smartphones yet. The functionality of such software migrated to native applications for Android and iOS, and software specifications have not been updated since 2009. However, for backward compatibility, this item is still embedded in SIM cards. The decision is up to the operator, but according to rough estimates of the authors of the study, this specialized software is used by operators in 30 countries with a total number of subscribers of more than a billion.



AdaptiveMobile makes a loud statement about the first case of malware distributed via SMS. It’s not a fact that the exploitation of code features on a SIM card should be called that way, but not the terms are important, but the fact that everything is not limited to geolocation. This method of attack gives attackers access to other commands that are initiated by program code on the SIM card and can then be transferred to the phone’s main operating system. For example, it is possible to play a melody, initiate a call, send an arbitrary SMS to an arbitrary number, execute a USSD request, and so on. Not all functions can be activated without the knowledge of the user. So, an outgoing call on some phones will require confirmation.



Another important point is that this is an actively exploited vulnerability. The assumption of the researchers is that the organizer of the attack is a private organization working for government agencies. The number of victims is also estimated: for example, in one of the countries attacks on 100-150 phone numbers were recorded, and some of them received dozens of requests per week. Along with requests via SMS, the same attackers exploit known vulnerabilities in the SS7 protocol.



Methods of protection against attacks of this type involve certain actions by the telecom operator. You can block the messages themselves or uninstall the software from the SIM card. For the subscriber, special protection has not yet been proposed: the peculiarity of the attack is that it works on smartphones, on old mobile phones, and on IoT devices with a GSM module. In addition, researchers are hinting that the S @ T Browser may not be the only weak link in the SIM card code.





A slightly less complex attack was described last week by Check Point specialists ( news , research ). Problems with setting up mobile Internet on a smartphone or a regular phone are long gone, but the functionality of sending “network access settings and sending MMS” has been preserved. As the researchers found out, SMS with settings can be sent not only by operators, but by anyone at all. The technology does not work in all cases and requires user confirmation, but when it works, a cheap USB modem is also enough to attack. As a result, the attacker can replace the address of the operator's proxy server with his own (as well as the settings of the home page and even the server for synchronizing contacts) and intercept the victim’s mobile traffic.



Disclaimer: The opinions expressed in this digest may not coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.