SimJacker is 0-day vulnerability under active attack according to this article:
Dubbed “SimJacker,” the vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards.
New SIM Card Flaw Lets Hackers Hijack Any Phone Just By Sending SMS
Huge security issue claims need some fact checking. Fortunately I had just written an article related to SIM card technologies (to be published later) so I have some up to date information on SIM card technologies. Based on that I can verify that SIM card often support remote management with SMS messages and they have nowadays apps that can interact with messages. With security on both on level that could be preferably better. I can’t verify this specific claim, because there is not enough info published yet.
It seems that there is something on this as the SIMalliance has acknowledged this or other similar issue and provided recommendations for SIM card manufacturers to implement security for S@T push messages.
News on this looks now like advertisement on future security talk. The researchers will be giving technical details on Simjacker during the Virus Bulletin Conference, London, 3rd October 2019. They have also published a blog that gives an overview of Simjacker, how it works and who is potentially exploiting it.
Simjacker – Next Generation Spying Over Mobile
“there is nothing much a mobile device user can do if they are using a SIM card with S@T Browser technology deployed on it,”
So that begs the question…
How does one determine specifically if they have such a SIM card?
Why was the proper security not built in already to SIMs?
SIMs have been advertised as secure elements for IoT systems especially on 5G IoT talks by operators.
Let’s wait for more details.