WIBattack: A new SIM card attack reported by security researchers

A security research team has presented a second SMS based attack that has the potential to allow malicious actors to track a particular users’ devices and all this is done by abusing little known applications that run on SIM cards. This attack is named as WIBattack and it is more or less identical to Simjacker. WIBattack was first discovered back in 2015. During that time, they also found the Simjacker attack which is later termed as S@Tattack but they did not make it public.

Simjacker is an attack that has been disclosed by mobile security firm AdaptiveMobile at the start of the month. Mysteriously, both attacks work in a similar manner granting access to similar commands. However, they target different apps running on the SIM cards.

For example, Simjacker has targeted the S@T Browser app, while WIBattack has targeted the Wireless Internet Browser (WIB) app. It should be noted that S@T Browser app and WIB app both are Java applets that mobile telecommunication companies install on SIM cards. These applications allow remote management for customer devices and their mobile subscriptions.

List of commands supported by both the applets are Get location data, Start call, Send SMS, Send SS requests, Send USSD requests, Launch internet browser with a specific URL, Display text on the device, and Play a tone. In both cases, it is being considered that attackers are potential enough to send a specially formatted binary SMS called an OTA SMS to a SIM. The OTA SMS executes STK SIM Toolkit instructions on SIM cards and attacks users.

A well known mobile and telecommunication security team, SRLabs developed two apps named SIMTester and Snoop Snitch. SIMTester is a desktop app that tests SIM cards for security flaws while Snoop Snitch is an Android app that can test SIM, mobile network, and OS security flaws in a smartphone. However, Snoop Snitch runs on rooted devices with Qualcomm chipsets only!

Earlier this month, AdaptiveMobile claimed that they have discovered that a “private company that works with governments” is using rogue commands sent to S@T Browser apps running on SIM cards to track individuals. Last week, security researchers of Ginno Security Labs claimed that the WIB app was also vulnerable to similar attacks.

Ginno Security Labs researchers consider that this S@Tattack attack vector can be abused to track users. They said that if it is used by a skilled attacker then they easily track a victim’s location or start phone calls or listen to nearby conversations.

The researchers received data from as many as 800 SIM card tests via the SIMTest app that suggests most mobile telecommunication companies don’t ship the Java applets S@T and WIB anymore. On the other hand, data from data from as many as 500000 SnoopSnitch tests revealed that only a very small number of users received OTA SMS messages. These findings suggest that most users today are safe from the threats suggested by the security researcher team.

Curious users can simply install and run the SIMTest app to check whether their phones’ SIM card runs the S@T or WIB apps or not. SRLabs team stated that even if the two SIM card apps are installed, it does not mean the SIM card is vulnerable. Attackers need to have the ability to send OTA SMS messages to the two apps in order to make these two Java applets vulnerable and exploitable. Interestingly, OTA SMS messages can be easily blocked by telecommunication companies by enabling security features.

The security feature present in the two apps should prevent random strangers from sending binary OTA SMS messages that trigger hidden command executions unless the two Java applets S@T and WIB have a minimum security level (MSL) index of 0.

This week, in an interview with ZDNet, a security researcher associated with SRLabs, Karsten Nohl said “In the context of mobile network hacks, Simjacker would appear less attractive to criminals than SS7 attacks or social engineering such as SIM swapping. While SS7 hacks and SIM swaps are reported in large numbers, Simjacker attacks seem to appear only anecdotally in comparison.”

This means in real terms, rather than being bombarded with shady OTA SMS messages, you are more vulnerable or exploitable to your mobile telecommunication company’s employees assigning your phone number to a hacker.