A vulnerability present in 1 billion SIM cards would allow hackers to take control of phones and spy on everything the user does
A text message is all it takes to spy on virtually any cell phone with a SIM card, but also other devices with a phone card. And someone is already doing it, on behalf of governments and intelligence forces that need to spy on specific people.
That’s the alarm raised by security company AdaptiveMobile Security, which discovered that about a billion SIM cards, from over various operators, in over thirty countries around the world, can be attacked using the method dubbed “SimJacker.” In order for SimJackerr to come into action, it is not necessary to install any app or connect to any infected site, download viruses, Trojans or other malware: whoever wants to spy on us just needs to send an SMS, after which all our communications will be traceable. The user does not notice anything and, unfortunately, does not have a real method to protect himself effectively because the problem should be solved by telephone operators.
How SimJacker works
According to AdaptiveMobile Security, the SimJacker attack is not too difficult to carry out: you only need a GSM modem to send an SMS containing executable codes. These codes are then actually executed by the S@T Browser component (SIM Application Toolkit, present inside the SIM cards of most operators), starting the infection.
At this point, the hacker has practically full control over the attacked smartphone: he can read the IMEI code, geolocate the device, use it to send messages and, most importantly, force the attacked phone to launch a call to the attacker’s phone without the knowledge of the legitimate smartphone owner. Through this last command, then, it is possible to use the victim’s phone as an instrument of espionage, listening to everything that is picked up by the microphone.
One billion users at risk: how to defend yourself
AdaptiveMobile Security is convinced that there is already at least one private company that has been using, for at least two years, SimJacker to spy on a limited number of users. The instigator would be one or more foreign governments. The vulnerability affects at least one billion SIM cards around the world and defending them is almost impossible.
Theoretically, telephone operators could implement centralized security solutions that would prevent an external attack from being effective. But these solutions have yet to be decided upon or implemented. In the meantime, the user could ask to replace the SIM with a new card that is not equipped with the S@T Browser component, but it is not certain that operators are prepared for such an eventuality.