OH GOOD. A NEWLY-DISCOVERED vulnerability that silently reveals your location data affects both Android and iOS phones, and there's currently no way to stop it.
Discovered by AdaptiveMobile Security, Simjacker is reportedly being exploited worldwide by an unnamed private surveillance company in association with governments. Best case scenario: it's tracking criminals. Worst case scenario: it's tracking "criminals" - which is to say: political dissidents and journalists.
"We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals," AdaptiveMobile Security writes in the report. "We believe this vulnerability has been exploited for at least the last two years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance."
The reason it's so wide-reaching is that it doesn't take advantage of phone hardware but of legacy behaviour from the SIM card. It uses [email protected], which was originally designed to launch browsers, play sounds and trigger other actions on older phones. Back in the day, this would be used to send promotional offers or billing information through to customers.
The exploit involves sending a text message that contains instructions for [email protected], but these don't trigger any kind of notification on the device. Instead, they just elicit a response from the SIM: it silently sends an SMS with device IMEI number and location data back.
In most cases, targets - predominantly in North Africa, the Middle East, Asia and Eastern Europe - are tracked a couple of times per day, but the researchers spotted a couple of high profile targets that were pinged hundreds of times per week.
"These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time," the researchers wrote.
"We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards," the researchers told ZDNet.
The only positive from this is because the attack doesn't use regular SMS messages, the networks should be able to block the outdated data abusing their infrastructure. Until they do, however, you're potentially at risk with no recourse whatsoever. µ
Hype for HyperThreading
Hey kids, leave them iPhones alone
The Mac lady sings
Babel in yo ear