SIM cards are no longer safe. Following in the wake of multiple SIM-swap attacks and the ominously named Simjacker, a new and even bigger threat has been discovered by researchers at Ginno Security Lab.
Dubbed WIBattack, it exploits a vulnerability in the Wireless Internet Browser (WIB) app found on some SIM cards to take control of the victim's phone from anywhere in the world. Here are the details.
As the name implies, SIM-based attacks involve hackers exploiting vulnerabilities in SIM cards for nefarious purposes - from stealing money via SMS to secretly installing spyware. According to Ginno Security Lab, this latest example is particularly worrying, as it has the potential to compromise hundreds of millions of mobile phones worldwide.
"By sending a malicious SMS to victim phone number, attacker can abuse the vulnerabilities in the WIB sim browser to remotely take control of the victim mobile phone," Ginno Security Lab explained in a blog post. "The affection of the vulnerability in WIB spreads worldwide and puts hundreds of millions of telecom subscribers worldwide at risk."
Just last week, Instagram confirmed reports that it's working on modifications to its two-factor authentication setup that will allow you to create passcodes in your favourite security app - like Google Authenticator, for example. While this isn't the sexiest of news, it's great to see this security practice growing in popularity: using an app, rather than a text message, to authenticate into other apps and services.
Once taken control of, a compromised phone could be used to launch the WAP browser, make phone calls, send SMS to any phone numbers and even send the victim’s precise location to the attacker. Meanwhile, the phone's owner remains oblivious to the fact that their device is being controlled remotely. (e.g. - No ringing, vibrations, or notifications.)
Because the threat targets SIM cards, there's little that phone manufacturers or OS publishers can do. Ginno warns that every mobile phone that uses a WIB-enabled SIM card is affected. (Note: According to a SRLabs report sent to ZDnet, only around 10.7% of the phones they tested had the WIB app installed. That's still a worryingly high number.)
The graph below summarises how a WIBattack works:
And here it is in practice:
Ginno Security Lab has reported the vulnerability in WIB to The GSM Association. It recommends using the open source SIMtester to check whether your card is secure or not.
You can find out more about SIM-based attacks and how to prevent them here.
SIM swap attacks are “off the hook right now,” as described in a November 2018 article from security maven Brian Krebs. While most of you probably have never, and won’t ever, encounter one, it’s good to be prepared should this irritating hack happen to you.
[Via Ginno Security Lab]