cancel
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Welcome to the new look Community! We're still upgrading and making some changes to the platform over the coming weeks! Stay tuned.
Highlighted
New Contributor _B-Rad_
New Contributor

SIMJacking

Can Optus confirm if their SIM cards have the embedded

S@T Browser (a dynamic SIM toolkit), within their SIM cards? If so, are they taking steps to update their security at the network level by filtering, which can be implemented to intercept and block the illegitimate binary SMS messages as recommended by the SIM Alliance.  Will they also be offering replacement sim cards with fixes at the SIM level?

 

This sim card flaw has been possible since 2009 and the full exploit will be published in October opening the doors to sim jacking by far more individuals. It has already been demonstrated that the original exploiter has been using this attack method for over 2 years! 

 

Disclosed by researchers at AdaptiveMobile Security, the vulnerability can be exploited using a $10 GSM modem to perform several tasks, listed below, on a targeted device just by sending an SMS containing a specific type of spyware-like code.

  • Retrieving targeted device' location and IMEI information,
  • Spreading mis-information by sending fake messages on behalf of victims,
  • Performing premium-rate scams by dialing premium-rate numbers,
  • Spying on victims' surroundings by instructing the device to call the attacker's phone number,
  • Spreading malware by forcing victim's phone browser to open a malicious web page,
  • Performing denial of service attacks by disabling the SIM card, and
  • Retrieving other information like language, radio type, battery level, etc.

During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated.

 

Optus needs to take this seriously and disclose if we're currently vulnerable and what steps they're going to take to mitigate this. 

10 Replies
Occasional Contributor LustStarrr
Occasional Contributor

Re: SIMJacking

Came here to ask this, having read this: https://thehackernews.com/2019/09/simjacker-mobile-hacking.html.

 

Optus, any response yet?

Cheers,

LustStarrr (a.k.a. Fern)
0 Kudos
Reply
New Contributor _B-Rad_
New Contributor

Re: SIMJacking

Does anyone from Optus review these posts or do I need to go old school and write an actual letter to Optus?

 

It's been over a week since I first posted about this issue and have not had a response in regards to this.  Since this is a known and published issue...if people suffer from this and Optus has chosen to not do anything about it...does it open up the possibility of a class action lawsuit?  I would think this is serious enough that Optus would put a fix in place ASAP and keep it's customers informed.

0 Kudos
Reply
Occasional Contributor Derek99
Occasional Contributor

Re: SIMJacking

Spot on, _B-Rad_,

 

Optus needs to clarify urgently

 

  • whether the SIMs that they distribute even have this vulnerability, and
  • if so, whether they will mitigate the problem temporarily by blocking all binary SMSs in the network (other than those that originate within Optus network management itself and have a legitimate purpose)

Hello?????

Tags (2)
0 Kudos
Reply
Frequent Contributor
Frequent Contributor

Re: SIMJacking

I think you raise some valid concerns and good on you for raising the topic - given the newness of the discovery, it may take some time for an official response from Optus. Leaving the question unanswered would only cause more unnecessary concerns for users. According to Telefonica's equivalent of YesCrowd,  their O2 Mobile company in the UK have stated their SIMs do not use the S@T Browser, so I am no sure if it is a simple as stating that or if it is a more complex issue for other carriers if a certain percentage of their SIMs do.  

 

It seems like it is 'hot off the press' news with more details to follow when Adaptive Mobile Security present their findings at a London conference in early October. Web posts seem to indicate the exposure relates from 2009,  and today it is more prevalent in undeveloped countries using older technology networks. The alleged originator is a "private surveillance company, a highly sophisticated actor, that works with Governments to monitor targeted individuals".  

 

Governments may require this ability for law enforcement and national security reasons, however given the state of world affairs it could also be used for political, financial and other sinister reasons. All carriers around the world have to comply, to various degrees, with demands from relevant sovereign Government agencies responsible for their country's communications and security. Allegedly and interestingly, it doesn't appear to effect any of the US Carriers raising some more questions as to the identity of the actor. 

 

One would hope it has not extended itself as a freely down loadable Open Source based App from a web site for people to reak merry hell with across the world. We have enough of those all ready! Will be interested to see what happens next month.  

Occasional Contributor Derek99
Occasional Contributor

Re: SIMJacking

I was mindful of the possibility that this exists as an intentional backdoor for the government, and covered that under "legitimate" (up to a point). Even if that were the case, Optus should still be blocking these SMSs that originate outside its management network e.g. other Optus customers or customers of other carriers (anywhere in the world). The current situation seems untenable.

 

Various pieces of anecdotal evidence, including that it is not required in the US or the UK, hint that it is not required here either - and that this is down to stupidity (on someone's part) rather than malice i.e. stuff up rather than conspiracy.

0 Kudos
Reply
Frequent Contributor
Frequent Contributor

Re: SIMJacking

@_B-Rad_  - I just realised I had omitted to acknowledge you in my reply which was in response to your original post. Apologies. I think all contributors have raised valid concerns and I will continue to track the progress of your enquiry. It's good to know what is going on. Cheers.

0 Kudos
Reply
Online Community Manager
Online Community Manager

Re: SIMJacking

Hi all,


Thanks for raising this concern.


Confirming our SIMs do not use the S@T browsers so Optus customers are not exposed to this vulnerability. 


Furthermore, our Networks team have advised we also mitigate against this specific issue by blocking illegitimate binary SMS messages that could address the SIM vulnerability described. 


Please see this more recent article for an update:  https://www.itwire.com/security/simjacker-australians-are-safe.html 


_____________________________________________________
I’m part of the Yes Crowd team, employed by Optus to help run our online community. This guide explains how everything works on here and you should also check out our Community Guidelines.

Did we answer your question? Please mark it as a Accepted Solution and be generous with that Kudos button Smiley Happy
New Contributor _B-Rad_
New Contributor

Re: SIMJacking

@Mkrtich Thanks for the acknowledgment...it really wasn't necessary but I appreciate it.  Glad we've got a response and an assurance of security from Optus!

0 Kudos
Reply
New Contributor _B-Rad_
New Contributor

Re: SIMJacking

@Ray_YC Thank you for getting back to us with a complete answer covering the different aspects of this issue.  Very happy to know that not only are we not vulnerable to this particular issue but that Optus also have mitigations in place to hopefully prevent any other similar flaws in the system.  Too often half arsed responses are tossed out which is why I really appreciate your complete response.

 

Thanks.

Top Contributors