A team of security researchers has detailed a second SMS-based attack that can allow malicious actors to track users' devices by abusing little-known apps that are running on SIM cards.
This new attack, named WIBattack, is identical to Simjacker, an attack disclosed at the start of the month by mobile security firm AdaptiveMobile.
Both attacks work in the same way, and they grant access to similar commands, with the exception that they target different apps running on the SIM cards.
Mainly, Simjacker runs commands against the S@T Browser app, while WIBattack sends commands to the Wireless Internet Browser (WIB) app.
Both are Java applets that mobile telcos install on SIM cards they provide to their customers. The purpose of these apps is to allow remote management for customer devices and their mobile subscriptions.
In a report released earlier this month, AdaptiveMobile said it discovered that a "private company that works with governments" was using rogue commands sent to S@T Browser apps running on SIM cards to track individuals.
In a report published last weekend, security researchers from Ginno Security Labs said that the WIB app was also vulnerable to similar attacks, although they were not aware of any attacks.
In the case of both S@T and WIB apps, attackers can send a specially formatted binary SMS (called an OTA SMS) that will execute STK (SIM Toolkit) instructions on SIM cards on which telcos did not enable special security features.
The commands supported on the WIB app are about the same ones supported by the S@T Browser, which are:
- Get location data
- Start call
- Send SMS
- Send SS requests
- Send USSD requests
- Launch internet browser with a specific URL
- Display text on the device
- Play a tone
Just like the Simjacker attack, Ginno Security Labs researchers say this attack vector can also be abused to track users. If used by a skilled attacker, they can allow a threat actor to track a victim's location or start phone calls and listen to nearby conversations.
Researchers said they discovered the WIBattack back in 2015 when they also found the Simjacker attack (which they called S@Tattack) but did no go pubic with their findings.
They estimated the number of devices running SIM cards with a WIB app at "hundreds of millions."
Scary numbers don't hold water
But the estimations that Simjacker and WIBattack impact hundreds of millions of SIM cards may not be accurate, according to a report ZDNet received this week from SRLabs.
The first is a desktop app that users can install and test their SIM cards for security flaws. The second is an Android app that runs on rooted devices with Qualcomm chipsets and which can test smartphones for various SIM, mobile network, and OS security flaws.
Researchers used telemetry from both apps to investigate the breadth of the Simjacker and WIBattack vulnerabilities.
In total, they received data from 800 SIM card tests via the SIMTest app, from all over the world. The results revealed that most mobile telcos don't ship the S@T and WIB applets anymore.
- 9.4% of the tested SIMs have the S@T applet installed
- A subset of 5.6% are vulnerable to Simjacker, because their protection level was set to zero
- 10.7% have the WIB applet installed
- A subset of 3.5% are vulnerable to a Simjacker-style attack against the WIB applet
- In total, 9.1% of tested SIM cards were vulnerable to attacks against either S@T or WIB
Furthermore, data from more than 500,000 SnoopSnitch users revealed that only a very small number of users received OTA SMS messages, like the ones needed to exploit Simjacker and WIBattack.
- We received reports from 8 users about 29 OTA SMS targeting the S@T applet
- The first message was reported in 2016
- Most of the messages targeted users in Latin and South America
These results mean that most users today are safe from these threats, which confirms private conversations that this reporter had with mobile security experts, who said that only a handful of mobile providers across the world ship SIM cards with the two apps, mostly located in the MENA, Eastern Europe, and Latin America regions.
Not a dangerous attack, when compared to others
Users who are curious to see if their phones' SIM card runs the S@T or WIB apps can install and run the SIMTest app.
But even if the two SIM card apps are installed, the SRLabs team said it does not automatically mean the SIM card is vulnerable. To be vulnerable and exploitable, attackers would need to have the ability to send OTA SMS messages to the two apps, something that telcos can block by enabling security features on the two SIM card apps.
Unless S@T and WIB have a minimum security level (MSL) index of 0, the innate security feature present in the two apps should prevent random strangers from sending binary OTA SMS messages that trigger hidden command executions.
Karsten Nohl, a security researcher with SRLabs, also called for calm in an interview with ZDNet this week.
"In the context of mobile network hacks, Simjacker would appear less attractive to criminals than SS7 attacks or social engineering such as SIM swapping," he said.
"While SS7 hacks and SIM swaps are reported in large numbers, Simjacker attacks seem to appear only anecdotally in comparison."
In other words, you're more vulnerable to your mobile telco's employees assiginign your phone number to a hacker, rather than being bombarded with shady OTA SMS messages.