,
18 tweets,
5 min read
Read on Twitter
This thread is about #Simjacker.
A good friend asked me what I thought about it and I admitted I hadn't bothered to read up on it.
One of the things we did with @savagesec was that we wrote up advisories for our customers. A lot of them had to do with these 'named' vulns.
A good friend asked me what I thought about it and I admitted I hadn't bothered to read up on it.
One of the things we did with @savagesec was that we wrote up advisories for our customers. A lot of them had to do with these 'named' vulns.
My first impression is superficial and not positive. We've got all the red flags here.
🚩named vulnerability
🚩logo (animated, even!)
🚩dark, ominous video
🚩lacking key, important details
🚩lead gen form to download paper
🚩named vulnerability
🚩logo (animated, even!)
🚩dark, ominous video
🚩lacking key, important details
🚩lead gen form to download paper
I wrote up advisories for some big ones - BlueBorne, KRACK, EFail, Meltdown/Spectre and others.
In addition to the common denominators above, they all had some stuff in common. They claimed HUGE impact, when the impact was actually much smaller because of circumstances.
In addition to the common denominators above, they all had some stuff in common. They claimed HUGE impact, when the impact was actually much smaller because of circumstances.
The situation with #Simjacker is no different. The impact is much, much smaller than most media writeups would have you believe.
"Simjacker Can Track Phones Just by Sending a Text"
"SimJacker attack allows hacking any phone with just an SMS"
Both headlines are wrong.
"Simjacker Can Track Phones Just by Sending a Text"
"SimJacker attack allows hacking any phone with just an SMS"
Both headlines are wrong.
I should point out that, while I understand how SIM cards work, I've not done any deep research into them myself.
As with most of my other advisories, my opinions here are based on primary sources and my own testing.
As with most of my other advisories, my opinions here are based on primary sources and my own testing.
#Simjacker works by exploiting a lack of security in a product called S@T Browser. Like many baseband attacks, this is software intended to be used by the mobile operator, not simple folk like you and I.
Also like many baseband vulns, obscurity is not a substitute for security.
Also like many baseband vulns, obscurity is not a substitute for security.
Before we cover the bigger issues with how this vulnerability was reported, let's take a closer look at what can be done with it.
It definitely appears to be a legit, 1990s-era no-authentication style issue.
It definitely appears to be a legit, 1990s-era no-authentication style issue.
In terms of what the attacks can do, the situation is similar to the recent 'AT command' physical attacks that could be done with a very small number of Android handsets and versions.
portal.3gpp.org/desktopmodules…
portal.3gpp.org/desktopmodules…
AdaptiveMobile Security listed out some specific attacks. Three in particular.
Attack1: Location Tracking
Attack2: Call Fraud
Attack3: Browser Hacking
We'll take a quick look at each.
Attack1: Location Tracking
Attack2: Call Fraud
Attack3: Browser Hacking
We'll take a quick look at each.
Attack1: Location tracking
This nets you a Cell-ID. What's a Cell-ID? From what I can tell, it's the ID of the Cell tower you're connected to.
Takes a leap to get from "tracking phones" to "nearest cell". Overstated claim.
They can get the IMEI though, which is not good.
This nets you a Cell-ID. What's a Cell-ID? From what I can tell, it's the ID of the Cell tower you're connected to.
Takes a leap to get from "tracking phones" to "nearest cell". Overstated claim.
They can get the IMEI though, which is not good.
Attack2: Call Fraud
You can PREP a call to be dialed, but still need the user to tap "Call". What's scary about making a call? The idea is that the attacker could con you into calling an expensive international number.
Social engineering is required to complete this one.
You can PREP a call to be dialed, but still need the user to tap "Call". What's scary about making a call? The idea is that the attacker could con you into calling an expensive international number.
Social engineering is required to complete this one.
Attack3: Launch and Direct Browser
As with the "Call Fraud" scenario, the attacker can tell the phone to open a URL in a browser, but the rest of the attack relies on client-side attacks or social engineering.
Not a lot of meat on this bone.
As with the "Call Fraud" scenario, the attacker can tell the phone to open a URL in a browser, but the rest of the attack relies on client-side attacks or social engineering.
Not a lot of meat on this bone.
Here, we come to the crux of my issue with how this vulnerability was reported. Where do we find S@T Browser installed on SIM cards? Which operators actually use and deploy it to customers?
AdaptiveMobile doesn't tell us, so we don't know.
AdaptiveMobile doesn't tell us, so we don't know.
Except for the fact that awesome journalists will actually reach out and ask operators. Journalists like @josephfcox, who conclusively determined that US operators are not affected.
AdaptiveMobile further recommends you "investigate if you have SIM cards with S@T Browser technology deployed in your network" and to consider using your firewall to filter binary SMS messages.
They don't give any suggestions on how any of this might be accomplished.
They don't give any suggestions on how any of this might be accomplished.
Some googling suggests that operators on the tiny island nation of Mauritius may use S@T Browser along with parts of India and ME, but nothing conclusive.
I don't know of any good way to determine this, besides contacting them all one-by-one as Joe did.
logossolvo.com/wireless-telec…
I don't know of any good way to determine this, besides contacting them all one-by-one as Joe did.
logossolvo.com/wireless-telec…
Hopefully GSMA gets this fixed up, but as with most 'named vulns', the marketing on this one is overblown and the impact overestimated.
I just tested this, using an online Cell-ID database I found (2.7GB CSV, not for the faint-hearted).
The coordinates are almost exactly 1km from my actual location - a 6 minute drive from my house, according to Google Maps.
The coordinates are almost exactly 1km from my actual location - a 6 minute drive from my house, according to Google Maps.
