Adaptive Mobile Security experts found a serious vulnerability in SIM cards. It is enough for the hacker to send an SMS to a person in order to track his location and gain access to his data.
An unnamed spyware developer has been exploiting the vulnerability for more than two years. They collaborate with government agencies around the world. The attack, dubbed Simjacker, is mainly designed to track people, but can also be used for fraud, data theft, and other illegal actions.
The vulnerability works through a special browser S @ T Browser. It is a part of the standard set of applications on the SIM card. Through it, operators offer subscribers additional services – news, voicemail, and so on.
It is enough for hackers to take a cheap GSM modem and send an SMS with a special code to the victim. The phone will send the message directly to the SIM card. Without even checking it, the code will be executed through the browser. The user does not know about this.
S @ T Browser is already outdated but is still used by operators in at least 30 countries. The total number of potential victims exceeds one billion. Experts spoke about the vulnerabilities of the GSM Association and SIMalliance, the main organizations that seek to improve the security of mobile services. They have already provided the operators with troubleshooting instructions.