[cypres]

Title is misleading. No "hijacking" is taking place, they are obtaining the Cell ID (approximate location) and IMEI info from the phone, by sending it a malicious SMS containing SIM card instructions. Details; https://www.adaptivemobile.com/blog/simjacker-next-generatio...

A better title IMHO; SIM Vulnerability leads to information disclosure via malicious SMS.

[farisjarrah]

Seems like a highjack may be possible actually... Here is a list of other things they listed they can do with the simjacker exploit that goes beyond simple data exfiltration:

    > PLAY TONE
    > SEND SHORT MESSAGE
    > SET UP CALL
    > SEND USSD
    > SEND SS
    > PROVIDE LOCAL INFORMATION
    >     Location Information, IMEI, Battery, Network, Language, etc
    > POWER OFF CARD
    > RUN AT COMMAND
    > SEND DTMF COMMAND
    > LAUNCH BROWSER
    > OPEN CHANNEL
    >     CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
    > SEND DATA
    > GET SERVICE INFORMATION
    > SUBMIT MULTIMEDIA MESSAGE
    > GEOGRAPHICAL LOCATION REQUEST

[mercora]

running arbitrary AT commands gives lots of potential... i wish they would provide (a lot) more details about their claims :(

[garaetjjte]

When I recently watched this talk, https://www.youtube.com/watch?v=31D94QOo2gY, I wondered about that, that is if malicious STK app from network operator could execute AT commands on phone (and compromise device using commands from https://www.usenix.org/node/217625).

But from what I gathered from cursory search, RUN AT COMMAND isn't supported by most devices. (ETSI TS 102 223 states "This clause applies if class "b" is supported by the terminal and enabled by the subscriber through the terminal. ")

[akersten]

Why in the world is this API surface even available, and why aren't Google / Apple / handset manufacturers scrambling to patch this?

[rocqua]

I guess it is available to the baseband, not the actual iser facing OS.

[zenexer]

Google and Apple can't do anything to mitigate this.

Edit: The following is incorrect. SIM cards are self-contained computers. Among other things, they're responsible for encrypting and decrypting communications between your phone and your carrier. This means that a SIM card will see the contents of a message before your OS or other hardware in your phone does. These exploits should work just as well against "dumb" phones as smartphones because they're not attacking the actual phones.

This API exists because SIM cards are self-contained computers; they need a way to communicate with everything else.

[0b0001]

That's not the case. SIM cards hold the permanent key for authentication and perform key derivation. Mobile data doesn't pass the SIM card; it does not perform the encryption and decryption.

[zenexer]

Good point--I tend to forget that. The rather vague article seems to indicate the actual SMS content is being sent to the SIM, though. Why is that?

[opless]

Dumb/feature phones saved SMS messages to the SIM card as simple cards have a limited amount of memory that is dedicated to a crude phonebook and SMS store. Smartphones and smarter feature phones (can) use their own storage for that. You could disable/enable the phonebook/save to SIM features on feature phones and early smartphones.

(I'm talking about win CE and symbian phones being early smartphones here)

[GMLOOKO]

A

[lejoko]

For me, sending SMS messages on your behalf (without you even knowing) or dialling premium rate numbers is definitely hijacking.

[dang]

Ok, we'll go with that title above.

[GMLOOKO]

A