Simjacker

Simjacker is a cellular software exploit for SIM Cards discovered by AdaptiveMobile Security. 29 countries are vulnerable according to ZDNet. The vulnerability has been exploited primarily in Mexico, but also Colombia and Peru, according to the Wall Street Journal, where it was used to track the location of mobile phone users without their knowledge.

History
The vulnerability was discovered and reported to the GSM Association through its Coordinated Vulnerability Disclosure process by Cathal Mc Daid of AdaptiveMobile Security in 2019. It was first reported publicly on 12 September 2019. A technical paper and presentation was made available at the VirusBulletin conference on 3 October 2019.

Technical information
The attack works by exploiting a vulnerability in a UICC/SIM Card library called the S@T Browser. A specially formatted binary text message is sent to the victim handset, which contains a set of commands to be executed by the S@T Browser environment in the UICC. As the S@T Browser environment has access to a subset of SIM Toolkit commands, the attackers used this vulnerability to instruct the UICC to request IMEI and location information from the handset via SIM Toolkit commands. Once this was obtained the UICC then instructs the handset to exfiltrate this information to the attackers within another text message. Other types of attacks are also possible using the S@T Browser, such as forcing a mobile device to open a webpage or to make a phone call.

The attack differed from previously reported SIM Card attacks as those required the SIM key to be obtained. The Simjacker attack does not require a SIM key, only that the SIM Card has the S@T Browser library installed on it, and that the binary messages containing the S@T Browser commands can be sent to the victim.

Simjacker was registered in the Common Vulnerabilities and Exposures database as CVE-2019-16256 and CVE-2019-16257, and by the GSM Association in its Coordinated Vulnerability Disclosure process as CVD-2019-0026

Impact
The vulnerability was estimated to affect UICCs in at least 61 mobile operators in 29 countries, with estimates between a few hundred million to over a billion SIM cards affected. The researcher reported that the most probable, conservative estimate is that mid to high hundreds of millions of SIM Cards globally are affected.

The vulnerability was being actively exploited primarily in Mexico, with thousands of mobile phone users being tracked by a surveillance company over the previous 2 years using this exploit.

Mitigation
Mobile phone users can use a tool from SRLabs to see if their SIM Card is vulnerable.