Simjacker - Real threat or mere hype?
The Simjacker vulnerability has been generating quite a lot of hype since its disclosure a few days back. The cybersecurity industry is a hugely competitive one. These days as long as a security research company discovers something relatively noteworthy, they will take this opportunity to market themselves. If I remembered correctly, Heartbleed was the first vulnerability which had its dedicated website. Since then, many vulnerability disclosures followed the path.
First, you need to give your vulnerability a nice name. Then, some might give it a fancy logo. Finally, you have to create a website for it. Off my hand, Meltdown/Spectre, KRACK, DROWN and EFAIL, just to name a few. Here are some logos for your reference :)
Source
The Simjacker hype
Simjacker ticks all checkboxes when it comes to marketing. It has a website of its own, a pretty decent and apt logo design and it even have a video introduction. There are even quick share buttons to popular social networks like Facebook, LinkedIn and Twitter.
If you do a quick search on Google, a myriad of news outlets have articles on Simjacker. Among them, even Forbes, Engadget and Ars Technica have articles on it. This level of coverage pushed the Simjacker's official website to the third page of Google search.
What is the vulnerability about?
Simjacker is a vulnerability where the attacker can remotely exploit and attack an unsuspecting victim. According to AdaptiveMobile Security, the research company which discovered Simjacker, the attacker just need to be able to craft the right SMS data to the target and voila!
Of course, like any vulnerability, there must be some prerequisites for it to work. The attack relies on specific SMS messages being allowed (by the local Telco), and the S@T Browser software being present on the SIM card of the targeted phone. Of course, if you are target a specific individual, then you will need to know his mobile number.
The S@T (pronounced sat) Browser or SIMalliance Toolbox Browser is an application specified by the SIMalliance, and can be installed on a variety of SIM cards. The S@T Browser is an old piece of software and most of its function have been superseded by other technologies. This specification has not been updated for 10 years, however, like many legacy technologies it is still been used.
AdaptiveMobile Security also said that,
"... we observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards."
This is the part where I think there are some mis-marketing. the company said that the S@T protocol is being used by mobile operators in 30 countries with cumulative population of over one billion people. The way this is worded made it sound like over 1 billion people are at risk. Unsurprisingly, there are really articles that wrongly assumed that and one of them is on Forbes. The article title reported that 1 billion mobile phones are at risk, which is a huge overstatement. While the full details will be only revealed in an event on 3rd Oct, I think not all mobile operators in these countries will ship their SIM cards with S@T browser. Also, not everyone in these countries owns a phone. However, the way the company worded the statement made it sound like 1 billion people are at risk. Which I thought is a little deliberately trying to mislead.
Even though I think the number of people at risk is overstated, I think the vulnerability is still considered rather widespread. Even if there are just a million at risk, I will consider it noteworthy and deserves attention. So what can be exploited? First of all, the attack can be used to spy on your location. Next, it can also be used to make fraudulent calls to a third-party. Finally, it can also be used to direct users to potentially malicious websites. Beyond these scenarios, the S@T protocol can be used to do many other stuff documented here. Examples of the more sensitive commands are listed here:
- PLAY TONE
- SEND SHORT MESSAGE
- SET UP CALL
- SEND USSD
- SEND SS
- PROVIDE LOCAL INFORMATION
- POWER OFF CARD
- RUN AT COMMAND
- SEND DTMF COMMAND
- LAUNCH BROWSER
- OPEN CHANNEL
- SEND DATA
- GET SERVICE INFORMATION
- SUBMIT MULTIMEDIA MESSAGE
- GEOGRAPHICAL LOCATION REQUEST
With so many commands available, it is up to what the attacker can imagine to craft the targeted attack.
So is Simjacker worth the hype?
I agree Simjacker is certainly worth media attention, especially in those affected countries. However, I think AdaptiveMobile Security should just disclose the vulnerability fully so that the mobile operators can start to work on mitigating the threat. I do not see the point in keeping some details and only disclose them later during an event. I will not be surprised if the presentation on 3rd October does not live up to the expectations.
I think the company is not being very socially responsible here. Although it is a decent finding and they deserve all the credits, I think the marketing is a little too overboard. But, I guess I cannot really blame them for trying whatever they can to gain some fame in this highly competitive cybersecurity industry.
The "Raise to 50" Initiative
Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!
This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:
Thank you so much for participating in the Partiko Delegation Plan Round 1! We really appreciate your support! As part of the delegation benefits, we just gave you a 3.00% upvote! Together, let’s change the world!
Haha, this Simjacker hype kinds of reminds me those hypes of Back Orifice, Carnivore & Echelon in the old good days. };)
Are those vulnerabilities found in the past? I have never heard of them. Haha..
@culgin, Simjacker can stand as real problem for mobile users if this hype is real.
Posted using Partiko Android
Indeed. It is certainly a threat which we should not ignore
Yes.
Posted using Partiko Android
Hi @culgin!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 4.037 which ranks you at #3884 across all Steem accounts.
Your rank has not changed in the last three days.
In our last Algorithmic Curation Round, consisting of 118 contributions, your post is ranked at #9.
Evaluation of your UA score:
Feel free to join our @steem-ua Discord server
Congratulations @culgin! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPVote for @Steemitboard as a witness to get one more award and increased upvotes!
The discovery of security flaws is very interesting, but I had never stopped to think about it as a marketing issue, I have to thank for this idea that gives me topics to talk with colleagues from another department.
By the way, the exaggeration in the headline of Forbes is a common evil, reaching old extreme cases falls into "Sensationalism", which certainly sells, but is not the best for the healthy reputation of a media outlet.
Most things are now subject to marketing.
Hopefully there will be no more than that in this case!
I think there is some substance to this finding and it's not all hype. But the marketing is still a bit overboard IMO
Posted using Partiko Android
Interesting article friend @culgin, I think that most companies, not only in this area, tend to exaggerate the scope of their products, the number of people benefited or affected in order to be more successful in selling their products, It is part of the competition game where users lie blatantly.