© Copyright 2019. All rights Reserved.
Restricted Security Briefing
AdaptiveMobile Security Threat Intelligence Unit
Uncovering theLatest Mobile Security Threats
© Copyright 2019. All rights Reserved. 2
Scope of Presentation
• Introduction
• The Opportunity
• The Simjacker Attack
• Next Steps
© Copyright 2019. All rights Reserved. 3
Introduction
• Mobile operators across the world face a continual battle against new mobile threats affecting their subscribers
• AdaptiveMobile Security has been the first to detect, protect subscribers and then takedown mobile attacks
– AdaptiveMobile’s early detection and intel is key to preventing subscribers being attacked
Koler Ransomware: “Locks” the device until subscriber pays a fee.
SelfMite.B: Trojanised version of legitimate application
…and our Threat Intelligence Unit (TIU) have now
uncovered something else totally new
Examples of threats uncovered by AdaptiveMobile Security
IMSI Catchers
Signalling Threats
© Copyright 2019. All rights Reserved. 4
The Opportunity in your grasp
Understand and take action against the latest new threats:
• Be seen and trusted as a leading brand on secure mobile services in your market
• Proactively address the very latest security concerns, still not well known or understood by other operators in your region
• Get ahead of the game before this new attack hits the mainstream media, press and your subscribers
© Copyright 2019. All rights Reserved. 5
• As part of our industry-leading work, AdaptiveMobile Security Threat Intelligence Unit (TIU) has been investigating suspicious activity over messaging and signalling bearers
• As a result we have identified a new vulnerability that is being exploited by attackers
• AdaptiveMobile Security TIU has been investigating these attacks since December 2018
• Using this vulnerability, multiple attacks are possible including:
Data Download, Location Tracking, Fraud, Denial of Service and Call Interception
What follows is the result of several months of research into a highly complex threat
What you are facing
© Copyright 2019. All rights Reserved. 6
• Since late 2018 AdaptiveMobile Security has detected unusual activity over messaging and signalling bearers, in specific customers, over a long period of time
• Specific, targeted Subscribers were receiving messages that were causing them to send another SMS with location/terminal info, without any notification or knowledge
• Subsequent deep investigation revealed a vulnerability that allowed almost every single mobile devices in affected operators to be open to mobile control
• We call this attack:
• Simjacker is arguably the most sophisticated attack ever seen over mobile core networks. Almost ‘Stuxnet-like’ leap in sophistication from previous attacks
Simjacker Background
© Copyright 2019. All rights Reserved. 7
1. Attack Stage: ‘Attack Message’ is sent from Malicious Handset or VASP servers to victim phones– ‘Attack Message’ are SIM Toolkit Messages
– ‘Attack Message’ could be understood as containing a type of temporary spyware, transmitted via SMS
2. Exfiltration Stage: The Attack Message executable instructs the SIM Card to request Location and IMEI from the Handset, and send the Location and IMEI from the Handset in a SMS– This is called the ‘Data Message’
• ‘Data Message’ is sent from the Victim Handset to a Recipient Number, or to a Dummy Number via a Recipient SMSC
• This activity is not noticeable by the Victim – no indication on the handset
High-level view of Simjacker Attack
© Copyright 2019. All rights Reserved. 8
Network Call-flowsStep 1: Attack Stage: How the Attack Happens
SMSC
SMPP
SS7
Attacker Handset
Attacker VASP
‘Attack Message’ is sent to Victim Handset, eithera) From Attacker Handset orb) From Attacker VASP
Victim Handset
SS7
(a)
(b)
© Copyright 2019. All rights Reserved. 9
Network Call-flowsStep 2: Exfiltration Stage: How the data is sent back
SMSC
SMPP
SS7
Attacker Handset
‘Data Message’ is sent from Victim Handset, eithera) To Attacker Handset orb) To Attacker SMSC/SS7 Node (less common)
Victim Handset
SS7
Attacker SMSC
Attacker VASP
(a)
(b)
© Copyright 2019. All rights Reserved. 10
a) Attacks exploit ability to send SIM Toolkit Message
b) Attacks exploit the presence of S@T Browser on the SIM card for vulnerable subscribers
How the attack works
The Attack messages use the S@T Browser functionality-
1. to trigger Proactive Commands that are sent to the handset 2. The responses to these Proactive Commands are sent back from the handset to the SIM
card and stored temporally there3. Once the relevant information is retrieved from the handset, another proactive command
is sent to the handset to send an SMS out with the info
© Copyright 2019. All rights Reserved. 11
• S@T Browser is normally used for browsing through the SIM card– Also for attack to be possible it requires specific logic to be set in the SIM Service Table (EFSST) of the SIM Card
• S@T Browser (pronounced sat) is in use in SIM cards in the Americas, West Africa and parts of Europe and Middle East
– Globally most other operators no longer use S@T Browser
But
– we have discovered that more and more operators from countries outside these regions do have vulnerable SIM cards
• The issue is that in affected operators, – the SIM cards does not check origin of messages that use the S@T Browser (main problem)
– SIMs allow data download via SMS
Other types of attacks are possible using S@T Browser!
Additional information on why certain operators are targeted
© Copyright 2019. All rights Reserved. 12
• There are Multiple PROACTIVE UICC commands, which could be executed by the S@T Browser, they include:
– PLAY TONE
– SEND SHORT MESSAGE
– SET UP CALL
– SEND USSD
– PROVIDE LOCAL INFORMATION
• LOCATION INFORMATION, IMEI, BATTERY, NETWORK, LANGUAGE, etc
– POWER OFF CARD
– RUN AT COMMAND
– SEND DTMF COMMAND
– LAUNCH BROWSER
– OPEN CHANNEL
• CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
– SEND DATA
– GET SERVICE INFORMATION
– SUBMIT MULTIMEDIA MESSAGE
– CONTACTLESS STATE CHANGED
What else could be possible using S@T Browser
Using these commands, multiple other attack may be possible: • Location Tracking• Fraud• Denial of Service• Eavesdropping• (Potential) Call interception
We have seen many of these potential attacks being tested and used by the Attacker Group
© Copyright 2019. All rights Reserved. 13
• Using SIGIL (Signalling Intelligence Layer) , has allowed us to correlate some of Simjacker sources with known malicious threat actors.
– As a result can say with high degree of certainty the source is a large surveillance company, with very sophisticated abilities in both signalling and handset
• These companies exploit the fact that many operators now regard core network security as solved, if they acquire a GSMA ‘compliant’ firewall. Vulnerable operators:
– Take GSMA documents as end-points/objectives, rather than initial guides
– Don’t perform or do any analysis or operational security work
– Put premium on semi-static ‘compliance’, rather than security as a constant evolving battle (like professional enterprises do)
• Simjacker is designed as a next generation mobile core network attack, to obtain sensitive information and control devices in operators who 1) do not have active monitoring and 2) trust in ‘standard’ security systems
Who is doing this and whySIGIL Dashboard
© Copyright 2019. All rights Reserved. 14
• We have encountered this activity in multiple countries and we believe it is being used in multiple others
– Clear danger to the mobile operator community
– Working with our customers to protect them – both on SMS and SS7 side,
• AdaptiveMobile Security have submitted details of the exploit to the GSMA as a Vulnerability Disclosure, along with intelligence and recommendations on how to mitigate the attacks
– Co-operated on GSMA Briefing Paper
– Presenting more details on the vulnerability at FASG#15 on the 10th of September 2019
• We will continue to research – How the attacks function,
– Look for other variants of the Simjacker exploits and use of the vulnerability
– Related attacks and vulnerabilities which bypass vulnerable operators
Next Steps For AdaptiveMobile Security and the Industry
© Copyright 2019. All rights Reserved. 15
• Simjacker is just the first (known) next generation mobile core network attack– We have strong indications of other types of innovative techniques being used
– These are currently being researched within AdaptiveMobile Security
• We have uncovered huge amounts of testing and optimisation by the attackers, signifying large resources, abilities and high-paying customers.
– These attackers will not stop
Operators need to:
1. Move away from tick-the-box security. FS.11, FS.19, FS.20 were not designed as objectives, they are initial guides, the journey is only beginning
2. Focus on operational security. Firewalls themselves are not the solution, continuous after-install investigation is needed
3. Realise that Attackers will try to and probably already have bypassed your firewall,
4. Actively be researching and improving their core network security. If you or your vendor just follows the GSMA, its too late, you are wasting your time and money as attackers will bypass you
Is Simjacker the end?
© Copyright 2019. All rights Reserved. 16
• Investigate, do you have UICC cards with S@T Browser technology deployed in your network?
• Even if you do not, what ongoing investigation and research are you doing on what is being encountered in your network?
• Is your current firewall simply GSMA document ‘compliant’? Even though these documents are not standards are you treating them as an objective, or a starting point?
Do you know if attacks like Simjacker or other next generation attacks are happening in your network?
What do you need to do
© Copyright 2019. All rights Reserved. 17
Unique Threat Intelligence - Powered by AdaptiveMobile Security
Securing the world’s leading mobile networks
Community-based intelligence sharing keeps Operators protected against
constantly changing security threats
phishing
social engineering
malware distribution/
propagation
information theft
privacy violation
Fraud
Correlation and analysisof over 40 billion dark data events every day
2.2 BILLION SUBSCRIBERS PROTECTED
We have a global team of industry leading security
experts dedicated to mobile messaging
Intelligence gathered from >80
deployments of our industry leading NPP
platform with operators around the
world
© Copyright 2019. All rights Reserved. 18
• We solve the increasingly complex challenge of securing the proliferation of mobile devices and services through our multi-bearer platform
• We are trusted by and deployed in the world’s largest operator groups
• We have unique visibility of the mobile threat landscape, which drives product innovation and new market expansion opportunities
• We are the market leader in Cyber Telecoms Security, protecting over 2.2 billion mobile subscribers
The Difference
© Copyright 2019. All rights Reserved.
© Copyright 2019. All rights Reserved. 20
TECHNICAL BACKUP
© Copyright 2019. All rights Reserved. 21
• S@T browser specifications were developed by the SIM Alliance. Specifications include:– S@T 01.00 – S@T Bytecode,
– S@T 01.20 – S@T Session Protocol
– S@T 01.23 – S@T Push Commands
– S@T 01.50 – S@T Browser Behaviour Guidelines
• Aim of these specifications was to allow a – thin client on a SIM
– to run applications in the SIM
– using commands and content downloaded OTA via SMS or BIP from an external server.
• Utilised the existing STK functions and OTA mechanisms.
• The SIM Alliance still support the feature but have not updated their specifications since 2009.
What is the S@T Browser?
So, the main role of the S@T browser is to act as an execution
environment for STK commands.
© Copyright 2019. All rights Reserved. 22
Internal Structure of Simjacker Message– High level : CLASSIFIED
Cell-ID
Short Message (Cell-ID, IMEI)
ENVELOPE (STK CMDS)
PROVIDE LOCAL INFORMATION: Location Info
IMEI
PROVIDE LOCAL INFORMATION : Terminal Info
SEND SHORT MESSAGE (Cell-ID , IMEI)
SIM with S@T Browser
Attacker Device
Retrieving Device
SMS-PP Data Download
© Copyright 2019. All rights Reserved. 23
• Attack Messages can vary by:– SMS Packet Encoding: DCS (Data Coding Scheme), PID (Protocol ID)
– S@T Push Type: Low Priority Push or High Priority Push
– Information Retrieved: Location and/or IMEI
– Exfiltration Method of Data Message: Via SMS to real number, or SMS to dummy number via compromised SMSC
– Filler bytes in Data Message: Present or not, value, number of
– Retrieving Device Number: Number of device that receives data message
– Other variations: order, internal structure, Retrieving Device TON etc.
• Several hundred variants in overall structure, millions of variants if include different addresses – Reason for variability?: Mostly security – to avoid detection of both attack and subsequent data message. Different
variants might be required for different SIM card (unknown)
– This means that Binary Content filtering is difficult unless you monitor and block on specific binary substrings that may change over time
Multiple Variants of Simjacker Attack Message