On the 12th of September we revealed high-level details on a mobile vulnerability that we believe was being exploited by an attacker for at least two years. Prior to this, and afterwards, we have been actively sharing specific details with the mobile industry within a responsible disclosure (CVD) process, in order for Mobile Operators globally to determine if they were affected and, if so, to take steps to protect themselves. At this stage, we can now give an in-depth analysis of the vulnerability and how it is being exploited. Simjacker is the name we applied to a vulnerability in a technology used on SIM Cards, which we observed has been exploited by a sophisticated threat actor to primarily track the location and get handset information for thousands of Mexican mobile users without their knowledge.
This particular vulnerable SIM Card technology, is called the S@T Browser, the key issue with the S@T Browser technology is that its default security does not require any authentication, and as a result the attacker is able to execute functionality on the SIM card, unbeknownst to the mobile phone user. In their attacks, we observed the attacking entity target several hundred unique mobile subscribers per week. We believe that prior to discovery they would have successfully tracked the location of many thousands of mobile subscribers over months and probably years. In our efforts to detect and mitigate these attacks, we have observed the attackers vary their method and application of the attack massively. These variations range from different ways to send the attack, different ways to receive the extracted information, variations in the structure of the request and the extracted information, as well as a host of other modifications to evade detection and blocking. We also observed the attacker experiment over time with new potential forms of attack using the vulnerability. The number, scale and sophistication of modifications of the attack is significantly beyond what we have witnessed from any attacker over mobile networks.