Beware! Your mobile phone can spy on you

Avneet Kaur

Jalandhar, September 22

Cyber security experts at AdaptiveMobile Security, a Dublin-based mobile security company, has recently revealed the existence of a new and previously undetected critical vulnerability in SIM cards that could allow remote attackers to compromise targeted mobile phones and spy on victims.

The experts named the attack ‘Simjacker’ as it involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the UICC (which is the SIM card) within the phone to ‘take over’ the phone, to retrieve and perform sensitive commands.

According to Mudit Sinha, a cyber security trainer as well as researcher from the city, the vulnerability resides in a particular piece of software, called the ‘S@T Browser’ (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

He said SIM application toolkit, commonly referred to as the STK, was a standard of the GSM system which enables the Subscriber Identity Module (SIM) to initiate actions which could be used for various value-added services and basic services and subscription to customers.

“In the attack, the attacker, via SMS, gets access to the device location, and importantly the Cell-ID. With this, your device has been officially jacked by the attacker. The trouble is, you wouldn’t even know about all this, and won’t get any alerts of a possible mishap either,” Sinha said, adding that the attacker could then perform other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage.

When asked about possible precautions against the attack, Mudit said researchers had responsibly disclosed details of this vulnerability to the GSM Association, the trade body representing the mobile operator community, as well as the SIM alliance that represents the main SIM Card/UICC manufacturers.

He said this attack was hard to track for now, which means, every user needs to be extra careful of using their mobile number, how to interact via SMS and how they keep all digital accounts secure.

Palvinder Singh, another cyber security expert, said people should avoid opening unnecessary pop-up links that flash on the screen while using multiple websites or even those links that had been sent through SMS.

He said people should avoid calling on customer care numbers to register any complaint regarding their phone handset or SIM as most of those numbers were hacked.