Security Market Segment LS
Friday, 13 September 2019 11:15

Your phone can be hacked – and there's nothing you can do about it Featured

Your phone can be hacked – and there's nothing you can do about it Image sourced from

Researchers at AdaptiveMobile Security recently detected a new vulnerability that uses the confirguration protocols used by a telco to provision a phone, making itessentially impossible for the user to block.

Further, they have detected the use of what has been dubbed Simjacker going back at least two years.

According to Adaptive Mobile, "The main Simjacker attack involves a SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to 'take over' the mobile phone to retrieve and perform sensitive commands.

"The attacks exploit the ability to send SIM Toolkit Messages and the presence of the S@T Browser on the SIM card of vulnerable subscribers. (The S@T Browser is normally used for browsing through the SIM card.)

"The Attack messages use the S@T Browser functionality to trigger proactive commands that are sent to the handset. The responses to these commands are sent back from the handset to the SIM card and stored there temporally. Once the relevant information is retrieved from the handset, another proactive command is sent to the handset to send an SMS out with the information."

Adaptive Mobile asserts that over 1 billion devices are vulnerable to this attack - any device SIM that makes use of the S@T Browser.

Writing in support of the company's announcement, chief technology officer Cathal McDaid said:

"By using these commands in our own tests, we were able to make targeted handsets open up web browsers, ring other phones, send text messages and so on. These attacks could be used to fulfil such purposes as:

  • "Misinformation (e.g. by sending SMS/MMS messages with attacker controlled content)
  • "Fraud (e.g. by dialling premium rate numbers),
  • "Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
  • "Malware spreading (by forcing a browser to open a web page with malware located on it)
  • "Denial of service (e.g by disabling the SIM card)
  • "Information retrieval (retrieve other information like language, radio type, battery level etc.)

"It even may be possible to go even further — depending on handset type — which we will discuss in our VB2019 presentation. Worryingly, we are not the only people to think of these additional attacks, over the last few weeks and months we have observed the attackers themselves experiment with these different capabilities.

"Finally, another benefit of Simjacker from the attacker's perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.

"One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this."

Without naming the organisation, it is clear from the reporting that AdaptiveMobile knows exactly who has created and is exploiting this vulnerability, as they state, "We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals."

As stated earlier, the user cannot block these messages – it can only be done in the core of the telco network by blocking S@T messages that originate outside of the network.

AdaptiveMobile has reported the issue to the GSM Association, which has disseminated the information to its member organisations.

AdaptiveMobile will present a detailed analysis of this problem at the upcoming Virus Bulletin Conference in London on 3 October. 


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments