Researchers on Thursday disclosed what they said is a widespread, ongoing exploit of a SIM card-based vulnerability, dubbed “SimJacker.” The glitch has been exploited for the past two years by “a specific private company that works with governments to monitor individuals,” and impacts several mobile operators – with the potential to impact over a billion mobile phone users globally, according to by researchers with AdaptiveMobile Security.
Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage,” said researchers with AdaptiveMobile Security in a post breaking down the attack, released Thursday.
AdaptiveMobile\’s espionage discovery shouldn\’t surprise mobile carriers or phone users as the attack surface is increasing both from a corporate and consumer information standpoint, and hackers are clearly taking advantage of it. This particular breach is yet another reminder to the telecommunications industry that prevention is of utmost importance and their overall inability to detect and respond to threats in a timely manner will likely lead to more headlines. And yet again we see another example of individuals being hacked and the victims had no idea their personal information is being compromised.
Overall, expect wide scale mobile attacks of this nature to continue. Hackers using the low and slow attack paradigm, like Cybereason discovered in Operation Soft Cell earlier this year, have a higher success rate of circumventing almost all of the detection capabilities available. While details are still emerging in this particular breach this would appear to have the makings of a nation-state actor. They almost never engage in smash and grab campaigns to steal money, social security numbers or credit card numbers. Their motives are likely to target certain individuals to know who they are talking to, where they are traveling and when.
Since our inception, Entersekt’s position has been that SMS OTP is not secure and SimJacker is just another reason to justify this position. Security experts have known about SMS technology flaws for some time and have regularly warned organisations about them. Regulatory bodies in the financial industry are slowly starting to heed these warnings as SMS OTPs’ risks to consumer security overtake the cost benefits: a few years ago already, issued in the European Banking Authority’s Strong Authentication Requirements, SMS-based authentication is listed as a method “to be avoided” In spite of all this, digital banking security still has a long way to go. Organisations still using SMS OTPs need to move on, and fast, if they want to avoid falling prey to the inevitable risk inherent in using such out-of-date methods.