Cybersecurity experts raise alarm over new SIM jacking threat

The vulnerability has to be addressed by mobile phone manufacturers and telecom service providers, he said.
For representational purposes
For representational purposes

HYDERABAD: A new kind of hacking threat targeting SIM cards of smart phones is on the rise. Cybersecurity officials say there is still no method to detect this threat, and that there could be millions of phones affected by it, unknowingly.

The attack called ‘Simjacker’, discovered by UK-based Adaptive Mobile Security (AMS), happens when a spyware code is sent to a mobile phone which then hacks the SIM card, and ‘takes over’ the mobile phone.
Explaining the vulnerability to Express, Global Cyber Security Forum’s chairman Sai Krishna said, “With this attack, anybody can get into anyone’s mobile, read messages, listen to the conversation and track real-time locations.”

Krishna added, “This attack happens, as there is a vulnerability in the SIM application Tool Kit (STK), which hackers exploit, by sending malicious code to it.

The problem becomes serious as STK software either comes embedded with the phone or from the telecom provider.”  

For the uninitiated, the STK software is found in smartphones, and it is used to initiate actions which can be used for various value-added services like subscribing to caller tunes and so on.

Unlike Google Play or iStore apps over which a user has controls, the STK software comes pre-installed, and users do not have control over it.

“If one downloads a malicious app from Google Play, antivirus software can detect it. However, as for STKs, there is no mechanism present in the public sphere to detect the threat. So, if someone hacks your device, there is no technology to detect it,” Krishna said.

The vulnerability has to be addressed by mobile phone manufacturers and telecom service providers, he said.

“Both the manufacturers and the service providers need to ensure that this vulnerability is patched,” added he. On October 3, AMS is going to disclose the full scope of this threat in a conference in the UK.
However, prior to that, AMS in a blogpost set the alarm bells ringing with this teaser: “We are quite confident that this exploit has been developed by a specific private company that works with the government to monitor individuals.”

Related Stories

No stories found.
The New Indian Express
www.newindianexpress.com