New SIM card attack can leak SMS and phone location information

SIM card attack

"Bluefon Mobile" by Cristina Orrantia is licensed under CC BY-NC-ND 4.0

Not long ago, the SIM card existed to a serious vulnerability, Simjacker, allowing remote attackers to send text messages to target phones and monitor victims without the user’s interaction. Currently, security researchers have discovered another SIM card vulnerability that can send text messages and phone location data.

Ginno Security Lab has detailed this new vulnerability, WIBattack. The vulnerability jeopardizes some WIB (Wireless Internet Browser) applications on SIM cards to control critical telephony features. Like Simjacker, WIBattack also infects mobile phones via SMS. The attack will run the command on a SIM card that does not have critical security enabled. Once successful, the attacker can send a message, initiate a call, and point the victim’s web browser to a specific site, displaying text and sending location information.

“Bluefon Mobile” by Cristina Orrantia is licensed under CC BY-NC-ND 4.0

The vulnerability can be used to track the location of a device, point users to a phishing site, charge long distance calls, and more. Ginno has briefly reported to WIBattack to the Global Mobile Communications Association, although it is unclear what steps the industry organization will take to address this issue.

At present, it is not clear how many people will face an attack. Ginno warned that “hundreds of millions” of mobile phones with WIB-enabled SIM cards may be at risk. But according to an SRLabs report, the actual number of potential victims may be much lower. After testing 800 cards, only 10.7% installed WIB, and 3.5% were vulnerable to similar simulation attacks.

Via: ZDNet