Attackers actively exploiting ‘Simjacker’ flaw to steal device data and spy on individuals


Cybersecurity researchers have warned of a critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims without their knowledge just by sending an SMS.

Dublin-based firm AdaptiveMobile Security said the flaw — dubbed “Simjacker” — has been actively exploited for at least two years by a spyware vendor that works with governments to track individuals. The firm didn’t disclose the name of the company nor the individuals who may have been targeted in this way.

Given the attack works across all platforms, the vulnerability demonstrates the increasing sophistication of threat actors to undermine network security by taking advantage of obscure tecnologies.

“The attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands,” AdaptiveMobile Security said.

The researchers have responsibly disclosed the flaw to GSM association (GSMA) and SIMalliance, the governing organizations overseeing mobile operators worldwide and seeking to improve the security of mobile services.

What is S@T?

The vulnerability resides in what’s called the S@T browser, embedded on most SIM cards as part of SIM Application Toolkit (STK) widely used by GSM mobile operators across the world to provide value-added services to customers.

Credit: AdaptiveMobile Security

?
WP Twitter Auto Publish Powered By : XYZScripts.com