© Copyright 2019. All rights Reserved.

Restricted Security Briefing

AdaptiveMobile Security Threat Intelligence Unit

Uncovering theLatest Mobile Security Threats

© Copyright 2019. All rights Reserved. 2

Scope of Presentation

• Introduction

• The Opportunity

• The Simjacker Attack

• Next Steps

© Copyright 2019. All rights Reserved. 3

Introduction

• Mobile operators across the world face a continual battle against new mobile threats affecting their subscribers

• AdaptiveMobile Security has been the first to detect, protect subscribers and then takedown mobile attacks

– AdaptiveMobile’s early detection and intel is key to preventing subscribers being attacked

Koler Ransomware: “Locks” the device until subscriber pays a fee.

SelfMite.B: Trojanised version of legitimate application

…and our Threat Intelligence Unit (TIU) have now

uncovered something else totally new

Examples of threats uncovered by AdaptiveMobile Security

IMSI Catchers

Signalling Threats

© Copyright 2019. All rights Reserved. 4

The Opportunity in your grasp

Understand and take action against the latest new threats:

• Be seen and trusted as a leading brand on secure mobile services in your market

• Proactively address the very latest security concerns, still not well known or understood by other operators in your region

• Get ahead of the game before this new attack hits the mainstream media, press and your subscribers

© Copyright 2019. All rights Reserved. 5

• As part of our industry-leading work, AdaptiveMobile Security Threat Intelligence Unit (TIU) has been investigating suspicious activity over messaging and signalling bearers

• As a result we have identified a new vulnerability that is being exploited by attackers

• AdaptiveMobile Security TIU has been investigating these attacks since December 2018

• Using this vulnerability, multiple attacks are possible including:

Data Download, Location Tracking, Fraud, Denial of Service and Call Interception

What follows is the result of several months of research into a highly complex threat

What you are facing

© Copyright 2019. All rights Reserved. 6

• Since late 2018 AdaptiveMobile Security has detected unusual activity over messaging and signalling bearers, in specific customers, over a long period of time

• Specific, targeted Subscribers were receiving messages that were causing them to send another SMS with location/terminal info, without any notification or knowledge

• Subsequent deep investigation revealed a vulnerability that allowed almost every single mobile devices in affected operators to be open to mobile control

• We call this attack:

• Simjacker is arguably the most sophisticated attack ever seen over mobile core networks. Almost ‘Stuxnet-like’ leap in sophistication from previous attacks

Simjacker Background

© Copyright 2019. All rights Reserved. 7

1. Attack Stage: ‘Attack Message’ is sent from Malicious Handset or VASP servers to victim phones– ‘Attack Message’ are SIM Toolkit Messages

– ‘Attack Message’ could be understood as containing a type of temporary spyware, transmitted via SMS

2. Exfiltration Stage: The Attack Message executable instructs the SIM Card to request Location and IMEI from the Handset, and send the Location and IMEI from the Handset in a SMS– This is called the ‘Data Message’

• ‘Data Message’ is sent from the Victim Handset to a Recipient Number, or to a Dummy Number via a Recipient SMSC

• This activity is not noticeable by the Victim – no indication on the handset

High-level view of Simjacker Attack

© Copyright 2019. All rights Reserved. 8

Network Call-flowsStep 1: Attack Stage: How the Attack Happens

SMSC

SMPP

SS7

Attacker Handset

Attacker VASP

‘Attack Message’ is sent to Victim Handset, eithera) From Attacker Handset orb) From Attacker VASP

Victim Handset

SS7

(a)

(b)

© Copyright 2019. All rights Reserved. 9

Network Call-flowsStep 2: Exfiltration Stage: How the data is sent back

SMSC

SMPP

SS7

Attacker Handset

‘Data Message’ is sent from Victim Handset, eithera) To Attacker Handset orb) To Attacker SMSC/SS7 Node (less common)

Victim Handset

SS7

Attacker SMSC

Attacker VASP

(a)

(b)

© Copyright 2019. All rights Reserved. 10

a) Attacks exploit ability to send SIM Toolkit Message

b) Attacks exploit the presence of S@T Browser on the SIM card for vulnerable subscribers

How the attack works

The Attack messages use the S@T Browser functionality-

1. to trigger Proactive Commands that are sent to the handset 2. The responses to these Proactive Commands are sent back from the handset to the SIM

card and stored temporally there3. Once the relevant information is retrieved from the handset, another proactive command

is sent to the handset to send an SMS out with the info

© Copyright 2019. All rights Reserved. 11

• S@T Browser is normally used for browsing through the SIM card– Also for attack to be possible it requires specific logic to be set in the SIM Service Table (EFSST) of the SIM Card

• S@T Browser (pronounced sat) is in use in SIM cards in the Americas, West Africa and parts of Europe and Middle East

– Globally most other operators no longer use S@T Browser

But

– we have discovered that more and more operators from countries outside these regions do have vulnerable SIM cards

• The issue is that in affected operators, – the SIM cards does not check origin of messages that use the S@T Browser (main problem)

– SIMs allow data download via SMS

Other types of attacks are possible using S@T Browser!

Additional information on why certain operators are targeted

© Copyright 2019. All rights Reserved. 12

• There are Multiple PROACTIVE UICC commands, which could be executed by the S@T Browser, they include:

– PLAY TONE

– SEND SHORT MESSAGE

– SET UP CALL

– SEND USSD

– PROVIDE LOCAL INFORMATION

• LOCATION INFORMATION, IMEI, BATTERY, NETWORK, LANGUAGE, etc

– POWER OFF CARD

– RUN AT COMMAND

– SEND DTMF COMMAND

– LAUNCH BROWSER

– OPEN CHANNEL

• CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc

– SEND DATA

– GET SERVICE INFORMATION

– SUBMIT MULTIMEDIA MESSAGE

– CONTACTLESS STATE CHANGED

What else could be possible using S@T Browser

Using these commands, multiple other attack may be possible: • Location Tracking• Fraud• Denial of Service• Eavesdropping• (Potential) Call interception

We have seen many of these potential attacks being tested and used by the Attacker Group

© Copyright 2019. All rights Reserved. 13

• Using SIGIL (Signalling Intelligence Layer) , has allowed us to correlate some of Simjacker sources with known malicious threat actors.

– As a result can say with high degree of certainty the source is a large surveillance company, with very sophisticated abilities in both signalling and handset

• These companies exploit the fact that many operators now regard core network security as solved, if they acquire a GSMA ‘compliant’ firewall. Vulnerable operators:

– Take GSMA documents as end-points/objectives, rather than initial guides

– Don’t perform or do any analysis or operational security work

– Put premium on semi-static ‘compliance’, rather than security as a constant evolving battle (like professional enterprises do)

• Simjacker is designed as a next generation mobile core network attack, to obtain sensitive information and control devices in operators who 1) do not have active monitoring and 2) trust in ‘standard’ security systems

Who is doing this and whySIGIL Dashboard

© Copyright 2019. All rights Reserved. 14

• We have encountered this activity in multiple countries and we believe it is being used in multiple others

– Clear danger to the mobile operator community

– Working with our customers to protect them – both on SMS and SS7 side,

• AdaptiveMobile Security have submitted details of the exploit to the GSMA as a Vulnerability Disclosure, along with intelligence and recommendations on how to mitigate the attacks

– Co-operated on GSMA Briefing Paper

– Presenting more details on the vulnerability at FASG#15 on the 10th of September 2019

• We will continue to research – How the attacks function,

– Look for other variants of the Simjacker exploits and use of the vulnerability

– Related attacks and vulnerabilities which bypass vulnerable operators

Next Steps For AdaptiveMobile Security and the Industry

© Copyright 2019. All rights Reserved. 15

• Simjacker is just the first (known) next generation mobile core network attack– We have strong indications of other types of innovative techniques being used

– These are currently being researched within AdaptiveMobile Security

• We have uncovered huge amounts of testing and optimisation by the attackers, signifying large resources, abilities and high-paying customers.

– These attackers will not stop

Operators need to:

1. Move away from tick-the-box security. FS.11, FS.19, FS.20 were not designed as objectives, they are initial guides, the journey is only beginning

2. Focus on operational security. Firewalls themselves are not the solution, continuous after-install investigation is needed

3. Realise that Attackers will try to and probably already have bypassed your firewall,

4. Actively be researching and improving their core network security. If you or your vendor just follows the GSMA, its too late, you are wasting your time and money as attackers will bypass you

Is Simjacker the end?

© Copyright 2019. All rights Reserved. 16

• Investigate, do you have UICC cards with S@T Browser technology deployed in your network?

• Even if you do not, what ongoing investigation and research are you doing on what is being encountered in your network?

• Is your current firewall simply GSMA document ‘compliant’? Even though these documents are not standards are you treating them as an objective, or a starting point?

Do you know if attacks like Simjacker or other next generation attacks are happening in your network?

What do you need to do

© Copyright 2019. All rights Reserved. 17

Unique Threat Intelligence - Powered by AdaptiveMobile Security

Securing the world’s leading mobile networks

Community-based intelligence sharing keeps Operators protected against

constantly changing security threats

phishing

social engineering

malware distribution/

propagation

information theft

privacy violation

Fraud

Correlation and analysisof over 40 billion dark data events every day

2.2 BILLION SUBSCRIBERS PROTECTED

We have a global team of industry leading security

experts dedicated to mobile messaging

Intelligence gathered from >80

deployments of our industry leading NPP

platform with operators around the

world

© Copyright 2019. All rights Reserved. 18

• We solve the increasingly complex challenge of securing the proliferation of mobile devices and services through our multi-bearer platform

• We are trusted by and deployed in the world’s largest operator groups

• We have unique visibility of the mobile threat landscape, which drives product innovation and new market expansion opportunities

• We are the market leader in Cyber Telecoms Security, protecting over 2.2 billion mobile subscribers

The Difference

© Copyright 2019. All rights Reserved.

© Copyright 2019. All rights Reserved. 20

TECHNICAL BACKUP

© Copyright 2019. All rights Reserved. 21

• S@T browser specifications were developed by the SIM Alliance. Specifications include:– S@T 01.00 – S@T Bytecode,

– S@T 01.20 – S@T Session Protocol

– S@T 01.23 – S@T Push Commands

– S@T 01.50 – S@T Browser Behaviour Guidelines

• Aim of these specifications was to allow a – thin client on a SIM

– to run applications in the SIM

– using commands and content downloaded OTA via SMS or BIP from an external server.

• Utilised the existing STK functions and OTA mechanisms.

• The SIM Alliance still support the feature but have not updated their specifications since 2009.

What is the S@T Browser?

So, the main role of the S@T browser is to act as an execution

environment for STK commands.

© Copyright 2019. All rights Reserved. 22

Internal Structure of Simjacker Message– High level : CLASSIFIED

Cell-ID

Short Message (Cell-ID, IMEI)

ENVELOPE (STK CMDS)

PROVIDE LOCAL INFORMATION: Location Info

IMEI

PROVIDE LOCAL INFORMATION : Terminal Info

SEND SHORT MESSAGE (Cell-ID , IMEI)

SIM with S@T Browser

Attacker Device

Retrieving Device

SMS-PP Data Download

© Copyright 2019. All rights Reserved. 23

• Attack Messages can vary by:– SMS Packet Encoding: DCS (Data Coding Scheme), PID (Protocol ID)

– S@T Push Type: Low Priority Push or High Priority Push

– Information Retrieved: Location and/or IMEI

– Exfiltration Method of Data Message: Via SMS to real number, or SMS to dummy number via compromised SMSC

– Filler bytes in Data Message: Present or not, value, number of

– Retrieving Device Number: Number of device that receives data message

– Other variations: order, internal structure, Retrieving Device TON etc.

• Several hundred variants in overall structure, millions of variants if include different addresses – Reason for variability?: Mostly security – to avoid detection of both attack and subsequent data message. Different

variants might be required for different SIM card (unknown)

– This means that Binary Content filtering is difficult unless you monitor and block on specific binary substrings that may change over time

Multiple Variants of Simjacker Attack Message