Security Market Segment LS
Friday, 13 September 2019 11:15

Your phone can be hacked – and there's nothing you can do about it Featured

By
Your phone can be hacked – and there's nothing you can do about it Image sourced from simjacker.com

Researchers at AdaptiveMobile Security recently detected a new vulnerability that uses the confirguration protocols used by a telco to provision a phone, making itessentially impossible for the user to block.

Further, they have detected the use of what has been dubbed Simjacker going back at least two years.

According to Adaptive Mobile, "The main Simjacker attack involves a SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to 'take over' the mobile phone to retrieve and perform sensitive commands.

"The attacks exploit the ability to send SIM Toolkit Messages and the presence of the S@T Browser on the SIM card of vulnerable subscribers. (The S@T Browser is normally used for browsing through the SIM card.)

"The Attack messages use the S@T Browser functionality to trigger proactive commands that are sent to the handset. The responses to these commands are sent back from the handset to the SIM card and stored there temporally. Once the relevant information is retrieved from the handset, another proactive command is sent to the handset to send an SMS out with the information."

Adaptive Mobile asserts that over 1 billion devices are vulnerable to this attack - any device SIM that makes use of the S@T Browser.

Writing in support of the company's announcement, chief technology officer Cathal McDaid said:

"By using these commands in our own tests, we were able to make targeted handsets open up web browsers, ring other phones, send text messages and so on. These attacks could be used to fulfil such purposes as:

  • "Misinformation (e.g. by sending SMS/MMS messages with attacker controlled content)
  • "Fraud (e.g. by dialling premium rate numbers),
  • "Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
  • "Malware spreading (by forcing a browser to open a web page with malware located on it)
  • "Denial of service (e.g by disabling the SIM card)
  • "Information retrieval (retrieve other information like language, radio type, battery level etc.)

"It even may be possible to go even further — depending on handset type — which we will discuss in our VB2019 presentation. Worryingly, we are not the only people to think of these additional attacks, over the last few weeks and months we have observed the attackers themselves experiment with these different capabilities.

"Finally, another benefit of Simjacker from the attacker's perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards.

"One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this."

Without naming the organisation, it is clear from the reporting that AdaptiveMobile knows exactly who has created and is exploiting this vulnerability, as they state, "We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals."

As stated earlier, the user cannot block these messages – it can only be done in the core of the telco network by blocking S@T messages that originate outside of the network.

AdaptiveMobile has reported the issue to the GSM Association, which has disseminated the information to its member organisations.

AdaptiveMobile will present a detailed analysis of this problem at the upcoming Virus Bulletin Conference in London on 3 October. 

DIGITAL MARKETING HAS NO SOCIAL DISTANCING OR TRAVEL RESTRICTIONS

As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email andrew.matler@itwire.com

CONTACT US!

LAYER 1 ENCRIPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments