SIM cards minimum level of protection set to zero puts mobiles security at risk and makes them vulnerable to attacks by SIMjacker and the recently discovered WIBattack.
SIM cards are vulnerable to a second type of cyber attack that compromises the WIB (Wireless Internet Browser) application to take control of key phone functions and even send user location data.
This type of attack called WIBattack and specified by Ginno Security Lab, which cites ZDNet, works similarly to a SIMjacker. That is, it hack a SIM card through an SMS that allows the porates to take control of the card because it lacks the key security levels.
When an attacker manages to take control of a SIM, it can range from sending SMS to making calls to sending data on the location of the user of the smartphone, to track it. Ginno warns in his blog that hundreds of millions of mobile phone users may be at risk from WIBattack, and has warned the GSM Association of this vulnerability. However, an investigation by Security Research Labs (SRLabs) wanted to “understand to what extent a user has to worry about a SIMjacker and create ways of knowing if a SIM is vulnerable or even being attacked.”
To do this, they have analyzed 800 SIM cards from 86 countries, of which 6 percent are vulnerable to the Simjacker, while 3.5 percent are vulnerable to a similar second vulnerability “without prior reporting”, which is identified with WIBattack Although the analysis figures are not high, it gives an idea of the magnitude of this type of risk.
For their investigation, they created a tool called SIMtester -which allows to detect the two vulnerabilities- and also consulted a second one, SnoopSnitch, for Android -which warns about binary SMS attacks- and identified that the Simjacker attacks were linked to an S@T application , which they found on some SIM cards.
In the affected SIM cards, the two applications, both S@T and WIB, “are configured with a minimum level of security,” they point out from SRLabs. SMS designed to attack SIMs and take control over phone functions attempt to send commands to these applications, and attackers can only exploit applications whose minimum security level “is set to zero.”
As explained by SRLabs, if the minimum security level is set to zero, “the SIM card accepts the messages without executing any security checks, resulting in unrestricted access to the application.”
Of the SIM cards analyzed, 9.4 percent had the S@T application installed, and 10.7 percent, WIB. “In total, 9.1 percent of the SIM cards analyzed were vulnerable to attacks against S @ T or WIB,” says the investigation.