, 18 tweets, 5 min read Read on Twitter
This thread is about #Simjacker.

A good friend asked me what I thought about it and I admitted I hadn't bothered to read up on it.

One of the things we did with @savagesec was that we wrote up advisories for our customers. A lot of them had to do with these 'named' vulns.
My first impression is superficial and not positive. We've got all the red flags here.
🚩named vulnerability
🚩logo (animated, even!)
🚩dark, ominous video
🚩lacking key, important details
🚩lead gen form to download paper
I wrote up advisories for some big ones - BlueBorne, KRACK, EFail, Meltdown/Spectre and others.

In addition to the common denominators above, they all had some stuff in common. They claimed HUGE impact, when the impact was actually much smaller because of circumstances.
The situation with #Simjacker is no different. The impact is much, much smaller than most media writeups would have you believe.

"Simjacker Can Track Phones Just by Sending a Text"

"SimJacker attack allows hacking any phone with just an SMS"

Both headlines are wrong.
I should point out that, while I understand how SIM cards work, I've not done any deep research into them myself.

As with most of my other advisories, my opinions here are based on primary sources and my own testing.
#Simjacker works by exploiting a lack of security in a product called S@T Browser. Like many baseband attacks, this is software intended to be used by the mobile operator, not simple folk like you and I.

Also like many baseband vulns, obscurity is not a substitute for security.
Before we cover the bigger issues with how this vulnerability was reported, let's take a closer look at what can be done with it.

It definitely appears to be a legit, 1990s-era no-authentication style issue.
In terms of what the attacks can do, the situation is similar to the recent 'AT command' physical attacks that could be done with a very small number of Android handsets and versions.
portal.3gpp.org/desktopmodules…
AdaptiveMobile Security listed out some specific attacks. Three in particular.

Attack1: Location Tracking
Attack2: Call Fraud
Attack3: Browser Hacking

We'll take a quick look at each.
Attack1: Location tracking

This nets you a Cell-ID. What's a Cell-ID? From what I can tell, it's the ID of the Cell tower you're connected to.

Takes a leap to get from "tracking phones" to "nearest cell". Overstated claim.

They can get the IMEI though, which is not good.
Attack2: Call Fraud

You can PREP a call to be dialed, but still need the user to tap "Call". What's scary about making a call? The idea is that the attacker could con you into calling an expensive international number.

Social engineering is required to complete this one.
Attack3: Launch and Direct Browser

As with the "Call Fraud" scenario, the attacker can tell the phone to open a URL in a browser, but the rest of the attack relies on client-side attacks or social engineering.

Not a lot of meat on this bone.
Here, we come to the crux of my issue with how this vulnerability was reported. Where do we find S@T Browser installed on SIM cards? Which operators actually use and deploy it to customers?

AdaptiveMobile doesn't tell us, so we don't know.
Except for the fact that awesome journalists will actually reach out and ask operators. Journalists like @josephfcox, who conclusively determined that US operators are not affected.

AdaptiveMobile further recommends you "investigate if you have SIM cards with S@T Browser technology deployed in your network" and to consider using your firewall to filter binary SMS messages.

They don't give any suggestions on how any of this might be accomplished.
Some googling suggests that operators on the tiny island nation of Mauritius may use S@T Browser along with parts of India and ME, but nothing conclusive.

I don't know of any good way to determine this, besides contacting them all one-by-one as Joe did.

logossolvo.com/wireless-telec…
Hopefully GSMA gets this fixed up, but as with most 'named vulns', the marketing on this one is overblown and the impact overestimated.

I just tested this, using an online Cell-ID database I found (2.7GB CSV, not for the faint-hearted).

The coordinates are almost exactly 1km from my actual location - a 6 minute drive from my house, according to Google Maps.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Adrian Sanabria
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!