Yesterday, security researchers at AdaptiveMobile Security revealed the existence of a new exploit they call "Simjacker," which they say allows for remote surveillance from targeted phones (among other potential actions) using nothing more than a malicious SMS. They even claim that the exploit has been actively used over the last two years by "a highly sophisticated threat actor in multiple countries." It all sounds like a pretty big deal, and unfortunately for concerned consumers, the researchers leave plenty of unanswered questions.
The attack works via SMS, with a malicious agent sending a message to a targeted phone number. Included in that message is a set of instructions set to run on the environment built into some modern SIM cards — there's actually a tiny "computer" in there that does some simple functions. If the SIM card is running a specific set of software, it can ask your phone for certain data like your IMEI or location, and even tell your phone to pass those details back over SMS to others. The researchers speculate that it could also be used for even more nefarious purposes, including installing malware, remote espionage, or fraud via premium rate calls. While some of those potential actions do require user interaction to ultimately succeed, the exploit provides the means to set them up.
AdaptiveMobile Security claims it is confident that the exploit was created by "a specific private company that works with governments to monitor individuals," and that the distribution of the attacks monitored show targeted attacks with changing priorities, the result of clear and deliberate action.
Unfortunately for us, the critical questions like "who is affected?" and "which carriers use compatible SIMs/eSIMs?" are intentionally unanswered. The researchers say that key parts of the exploit are in use by carriers in "at least 30 countries" covering over a billion people, but we don't know which markets or carriers are actually included in that list — an exclusion almost certainly meant to "bait" attention, since by that general phrasing almost anyone could be affected. While this may be a real and serious threat, the security researchers are withholding vital information for a later conference, claiming this early release is to gauge how those using the exploit react.
We have reached out to the big four US carriers to see if any of them might be affected, and so far Sprint, AT&T, and T-Mobile have told us it won't be a problem for their customers.
- AdaptiveMobile Security