I've been researching the SimJack issue and the more I am, the more something smells fishy about it...

Yes, there has been a wide coverage of it. But every single article stems from a single source - the AdaptiveMobile report. OK, so they were the ones to discover it, so maybe that's fair. But no independent confirmations? That's odd...

And let's dig into their report too, shall we? What do we see there?

1) Comparison to Stuxnet. That's total bullshit and marketing hype, pure and simple.

2) Claim that a billion people are affected. How do we know that? Oh, it's because the mobile operators of 30 countries with that many people total are using AdapiveMobile's software. Really? Who had heard of them before? All I see is a single source of the claim - AdaptiveMobile

3) Zero technical details, besides one meaningless diagram that could mean anything. Yes, I've read the S@T specifications and commands. "Malware sent by SMS"? Gimme a break.

- The location request would return the cell, at best. There is no GPS on the card. You can't assume that's it's installed on a device that has GPS - and even if you know that it is, getting that info would require RCE.

- You can send an MMS. Sure, that's an attack surface, but unless a specific vulnerability is known and widespread for some kind of phones, that's pretty meaningless and you can do that without S@T anyway.

- You can launch a browser (if the phone has one) - but you can achieve the same results by sending a link to the victim.

- You can issue AT commands. I haven't used those since I stopped connecting to BBSes via a modem, but I can't recall anything particularly nefarious that you could do with them.

- You can send SMS from the victim's device. That might be useful to criminals for stealing money by setting up a premium SMS service but that's about it.

- Set up a phone call. Not sure how covert that can be - can it be done without the victim noticing, essentially listening to their microphone? They say, it depends on the phone. Hmmm....

- I see no evidence tha RCE is possible and even if it were, it would depend on the phone model of the victim anyway.

4) How does the average phone user determine whether this S@T thing is present on their SIM card? No answer.

5) Any particular PoC demonstrating the issue? Nope, just a claim that "a $10 GSM modem" is enough.

OK, I am not saying that the whole issue is made up. But, folks, this is NOT how you report a vulnerability affecting a billion people. Less self-aggrandizement hype and more technical details, please.

Too bad that I won't be at the Virus Bulletin conference to ask pointy questions about this issue but I somehow doubt that they would be answered there anyway... So, if any of you is going, feel free to ask on my behalf.