Simjacker isn't the only SIM-based attack that could put phones at risk. Ginno Security Lab has detailed
another exploit, WIBattack, that compromises the WIB (Wireless Internet
Browser) app on some SIM cards to take control of key phone functions.
Like its counterpart, WIBattack infects a phone through a carefully
formatted SMS text that runs instructions on cards that don't have key
security features enabled. If successful, the intruders can send texts,
start calls, point your web browser to specific sties, display text and
send location info.
The vulnerability could be used to track a device's location, point
users to phishing websites and rack up fees on calls to toll numbers,
among other tricks. Ginno has briefed the GSM Association on WIBattack,
although it's not clear what if anything the industry body is doing to
address the issue.
It's not certain just how many people are truly
vulnerable. While Ginno warns that "hundreds of millions" of phones
with WIB-capable SIM cards might be at risk, ZDNetobtained
an SRLabs report suggesting the real number of potential victims might
be considerably lower. Out of 800 tested cards, only 10.7 percent had
WIB installed, and 3.5 percent of them were vulnerable to a
Simjacker-like attack.
There's also the question of whether or not
this would be the most effective method for would-be attackers. It may
be easier to try SIM hijacking (which can simply involve less-than-scrupulous carrier staff) or an SS7 exploit.
Still, this is another significant flaw that may be difficult to
completely eliminate until networks and users upgrade to more secure
SIMs.
COMMENTS