The Simjacker vulnerability has been generating quite a lot of hype since its disclosure a few days back. The cybersecurity industry is a hugely competitive one. These days as long as a security research company discovers something relatively noteworthy, they will take this opportunity to market themselves. If I remembered correctly, Heartbleed was the first vulnerability which had its dedicated website. Since then, many vulnerability disclosures followed the path.
First, you need to give your vulnerability a nice name. Then, some might give it a fancy logo. Finally, you have to create a website for it. Off my hand, Meltdown/Spectre, KRACK, DROWN and EFAIL, just to name a few. Here are some logos for your reference :)
The Simjacker hype
Simjacker ticks all checkboxes when it comes to marketing. It has a website of its own, a pretty decent and apt logo design and it even have a video introduction. There are even quick share buttons to popular social networks like Facebook, LinkedIn and Twitter.
If you do a quick search on Google, a myriad of news outlets have articles on Simjacker. Among them, even Forbes, Engadget and Ars Technica have articles on it. This level of coverage pushed the Simjacker's official website to the third page of Google search.
What is the vulnerability about?
Simjacker is a vulnerability where the attacker can remotely exploit and attack an unsuspecting victim. According to AdaptiveMobile Security, the research company which discovered Simjacker, the attacker just need to be able to craft the right SMS data to the target and voila!
Of course, like any vulnerability, there must be some prerequisites for it to work. The attack relies on specific SMS messages being allowed (by the local Telco), and the S@T Browser software being present on the SIM card of the targeted phone. Of course, if you are target a specific individual, then you will need to know his mobile number.
The S@T (pronounced sat) Browser or SIMalliance Toolbox Browser is an application specified by the SIMalliance, and can be installed on a variety of SIM cards. The S@T Browser is an old piece of software and most of its function have been superseded by other technologies. This specification has not been updated for 10 years, however, like many legacy technologies it is still been used.
AdaptiveMobile Security also said that,
"... we observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards."
This is the part where I think there are some mis-marketing. the company said that the S@T protocol is being used by mobile operators in 30 countries with cumulative population of over one billion people. The way this is worded made it sound like over 1 billion people are at risk. Unsurprisingly, there are really articles that wrongly assumed that and one of them is on Forbes. The article title reported that 1 billion mobile phones are at risk, which is a huge overstatement. While the full details will be only revealed in an event on 3rd Oct, I think not all mobile operators in these countries will ship their SIM cards with S@T browser. Also, not everyone in these countries owns a phone. However, the way the company worded the statement made it sound like 1 billion people are at risk. Which I thought is a little deliberately trying to mislead.
Even though I think the number of people at risk is overstated, I think the vulnerability is still considered rather widespread. Even if there are just a million at risk, I will consider it noteworthy and deserves attention. So what can be exploited? First of all, the attack can be used to spy on your location. Next, it can also be used to make fraudulent calls to a third-party. Finally, it can also be used to direct users to potentially malicious websites. Beyond these scenarios, the S@T protocol can be used to do many other stuff documented here. Examples of the more sensitive commands are listed here:
- PLAY TONE
- SEND SHORT MESSAGE
- SET UP CALL
- SEND USSD
- SEND SS
- PROVIDE LOCAL INFORMATION
- POWER OFF CARD
- RUN AT COMMAND
- SEND DTMF COMMAND
- LAUNCH BROWSER
- OPEN CHANNEL
- SEND DATA
- GET SERVICE INFORMATION
- SUBMIT MULTIMEDIA MESSAGE
- GEOGRAPHICAL LOCATION REQUEST
With so many commands available, it is up to what the attacker can imagine to craft the targeted attack.
So is Simjacker worth the hype?
I agree Simjacker is certainly worth media attention, especially in those affected countries. However, I think AdaptiveMobile Security should just disclose the vulnerability fully so that the mobile operators can start to work on mitigating the threat. I do not see the point in keeping some details and only disclose them later during an event. I will not be surprised if the presentation on 3rd October does not live up to the expectations.
I think the company is not being very socially responsible here. Although it is a decent finding and they deserve all the credits, I think the marketing is a little too overboard. But, I guess I cannot really blame them for trying whatever they can to gain some fame in this highly competitive cybersecurity industry.
The "Raise to 50" Initiative
Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform: