SIM Hijack attack
asked 2019-09-12 22:51:21 +0200
Is Sailfish vulnerable? https://thehackernews.com/2019/09/simjacker-mobile-hacking.html
1
@olf they say: "One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this." My question meant what will Sailfish do in this case.
Linuxovod ( 2019-09-13 17:00:12 +0200 )edit1
1
Well that aspect seem to be quite clear: Modern phones will ask the user for confirmation on specific actions initiated by the SIM card and carried out by the modem, such as making a call.
Those actions mentioned for the specific attack example (receiving and sending SMS, retrieving IMEI and location data) are not among those "special actions" (for reasons). Hence the OS is not informed (i.e. asked to obtain a confirmation by the user), thus does not and cannot "do" anything.
2
@Stefanix, can you please provide a pointer, why you believe that this "attack needs handset support".
S@T definitely needs no OS support.
IMO it is rather the opposite: Some classes of devices ("handset types") may ask user for a confirmation, if triggered to do so by the UICC (= SIM card), while others either do not (unimplemented, e.g. on old dumb-phones) or cannot (lack of screen and keypads; e.g. (IoT devices etc.).
olf ( 2019-09-13 18:27:46 +0200 )edit
Oh yes
And oh, oh: not completely regardless. My N900 would be safe as it does not have this S@T technology :)
peterleinchen ( 2019-09-13 00:58:13 +0200 )edit@peterleinchen, an N900 is just as vulnerable (or safe) as any other device! This attack is completely independent of the operating system, as no code needs to be run on the main CPU.
olf ( 2019-09-13 01:48:23 +0200 )editThe attack solely uses the resources of the SIM card, all of which are JavaCards by specification, plus information provided by the cellular modem (location, IMEI etc.).
So ultimately it all depends on your SIM card providing a S@T implementation (or not).
Please use the force and read the source! Feel free to point out misunderstandings by me, accompanied by a pointer to a contradictory statement there.
I was under the impression that as the N900/Maemo does not have an Implementation of this SIM kit application and this part of source
I may be wrong...
peterleinchen ( 2019-09-13 08:22:19 +0200 )edit"One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this." On some CDMA oriented (but GSM compatible) android phones S@T browser is missing too.
Linuxovod ( 2019-09-13 17:03:19 +0200 )edit@peterleinchen, well AFAICS the terms "device" and "handset" are used interchangeably in both of the documents (the high-level one [1] and the bit more detailed one [2]) and addresses the whole device, including cellular modem etc.
The used language is remarkably imprecise, but that "triggering logic on the handset" IMO means nothing more than "let the modem send out the exfiltrated data per SMS", just as the modem was used before that to collect information e.g. location data.
@Linuxovod, S@T is clearly described as a software component deployed with and running on the UICC (i.e. any modern SIM card).
olf ( 2019-09-13 17:48:13 +0200 )edit