Having set up petcams in my home to remotely monitor my new puppy’s behaviours with my 4G smart device when I am out, I was reminded about Shodan, the search engine that looks for IoT devices such as webcams and makes their streams available for viewing by anyone on the internet.

https://www.shodan.io/

Shodan collects data mostly on web servers (HTTP) as well as FTP, SSH, Telnet, SNMP, SIP, and Real Time Streaming Protocol (RTSP). The latter can be used to access webcams and their video stream.

Now fortunately I am not the type to go with default passwords so am pretty sure no one hacked into my PTZ cameras and peered around my house uninvited. But the point remains that today, most of the consumer devices that sit on the Internet under the IoT, M2M or Embedded Device umbrella are not designed to defend against the sophisticated hacks or threats that may attempt to compromise them.

See Kapersky’s comments entitled Internet of Crappy Things

And while Shodan is possibly a dangerous tool, it is a good example of what could happen when devices with weak security are allowed to permeate and pervade our lives.

So what of the bigger promises of IoT, is it really the next technology trend that could change the world?

Forbes have collected the latest IoT forecasts and predictions from Forrester, Machina Research, WEF, Gartner and IDC:

http://www.forbes.com/sites/gilpress/2016/01/27/internet-of-things-iot-predictions-from-forrester-machina-research-wef-gartner-idc/#7426650c6be6

Gartner predicts spending on IoT services will reach of $235 billion in 2016, up 22% from 2015.

IDC predicts that by 2018, 66% of networks will have an IoT security breach.

Will security concerns slow IoT adoption? Will IoT security become a significant component of security budgets?

With IoT applications spanning smart cities, intelligent buildings, agriculture, environment, utilities, medical, automotive and more, there is clearly a need to design security in from the start.

The overall security problem stems from the fact that these IoT devices:

• May tend to go unchecked by humans for long periods of time

• Are often designed for a long life but with limited upgrade potential

• May be non-mobile and so difficult to access, service or repair

• Are often less technically sophisticated than other smart devices so have less scope to build in security

So, with threats ranging from door and car hacking, through medical data being intercepted, right up to national security, and many if not most devices currently not designed from the outset to be secure from sophisticated threats, perhaps reducing the reliance on the devices own security and pursuing a network based approach is the way to go.

This too will overcome some of the immediate issues of IoT device security standardization currently emerging, such as Underwriters Labs refusing to freely share their new IoT cybersecurity standard

http://arstechnica.co.uk/security/2016/04/underwriters-labs-refuses-to-share-new-iot-cybersecurity-standard/

Whilst IoT device security remains a difficult nut to crack, Operators able to secure embedded devices directly on their networks today will undoubtedly be able to attract a large portion of the 50 Billion IoT devices that Cisco predict will connect by 2020.

https://newsroom.cisco.com/press-release-content?articleId=1621819

…maybe by then IoT device level security will be less of a threat to us all.

Craigslist, the online classified advertisements website, is not only the world’s most popular classifieds website but also one of the most popular websites on the internet. The site receives billions of page views every month and is in the top one hundred most visited websites in the world – the twelfth most visited website in the United States. When it was founded it provided the Internet with a much needed platform for advertising, selling and exchanging goods, and its emphasis on functionality over design made it the success story it is today. Craigslist does one thing and one thing very well.

However, for many of the same reasons Craigslist is popular with the wider public, it is also very popular with scammers and fraudsters (any regular user of Craigslist will attest to this).  Anywhere that people congregate, whether in the real world or online, is a haven for the malicious intent of such individuals and organisations. So it is no surprise that Craigslist is regularly targeted by nearly every scam in the book. In particular, and the topic of this blog, is the persistent attempts by scammers to defraud or steal personal and sensitive information from registered Craigslist account holders by sending phishing SMS text messages (sometimes referred to as SMSishing). A favourite social engineering technique amongst scammers, phishing is an effective way of prompting users to divulge their personal information. The SMS, in this context, being the “bait” so to speak. It is also very likely that recipients of these spam messages are registered Craigslist account holders as spammers have been known to harvest phone numbers directly from the Craigslist website.

These SMS phishing text messages take many forms. The most common of these forms are messages purporting as being:

1. From Craigslist - If the SMS phishing text message says it's from Craigslist (team, support team etc.), it will more than likely state something about unauthorised activity on the account or that the account has been blocked/suspended and needs to be verified by the user by logging into their account (from the link they provide in the message).

2. From other Craigslist account holders - If it is purporting as another Craigslist user, it will usually be a general enquiry about a listing (as shown below). In both cases, the SMS will nearly always contain a URL directing a fake Craigslist login page. These URLs are craftily chosen to mimic an authentic Craigslist URL and will generally contain an abbreviated and tweaked form of the word craigslist as can be seen in both examples below. It is more common to see SMS phishing attempts using the format illustrated in the second example below as Craigslist users often post their phone numbers online and will be used to receiving similar messages of this type on a daily basis. It is also more likely that users will be deceived by this. Also, if you look at the URL you can see that URL contains the US State Alaska. Genuine Craigslist URLs will often contain a place name in the URL– such as http://anchorage.craigslist.org or http://newyork.craigslist.org

If you were to click one of these URLs, you would see that these fake Craigslist login pages aren’t exactly the pinnacle of web design, but neither is the actual Craigslist login page for that matter. In fact, the Craigslist login page is far from sophisticated and is a basic as a webpage can be. This is a contributory factor in the popularity of Craigslist as a phishing target because the webpage is so easily replicable.  The first screenshot shows the real Craigslist.org login page and the image to the right shows a fake Craigslist login page, you’ll notice that there is little difference between the two. The only notable differences are the URLs, the word Craigslist in place of the official CL logo, a menu icon on the fake page which is not on the real page and the use of a secure connection ( "https" indicated by the little green padlock in the browser bar). One can understand how someone might fall for this as these small irregularities can be easily overlooked.

   Real Craigslist site v phishing site

These phished login details can be very lucrative for scammers for a variety of reasons - they wouldn’t run these campaigns if this wasn’t the case. Once they have these details they have access to the user’s Craigslist account. From here they can conduct various nefarious scams. Often they will use the account to send spam to other users on the site. Craigslist users whose accounts have been compromised have reported that their postings were hijacked and altered  - likely to defraud the respondents of these postings and to post their own ads/spam. Masquerading as the victims of their phishing, one of their favourite methods is to arrange payment for an item through PayPal, sometimes sending fake PayPal payment confirmation emails for listings or other times sending links to PayPal phishing sites. These phished login credentials could also give scammers access to other accounts belonging to the user. For example, most Craigslist account holders use their email address as their username, and it wouldn’t be surprising if people used their email password as their Craigslist password (this is actually very common, as this one study showed). This will give the scammers access to their email account, and having access to someone’s email address can give them access to a whole host of other accounts.

At AdaptiveMobile, we block Craigslist SMS phishing messages on an almost daily basis and have seen a steady increase in the numbers of these messages being sent over the last few months. To give an example of the scale - last month we blocked several hundred thousand Craigslist related messages. The vast majority of these phishing messages originate from over-the-top carriers (OTT) or VoIP carriers. OTT carriers have become very popular with spammers in recent years – the majority of all spam blocked by us last month came from OTT carriers using SMS services. These services are favourites of spammers because they can send so-called Snowshoe spam - spam that, a bit like a snowshoe, can distribute the load over a large area to great effect (usually in short bursts - which makes blocking more difficult). The senders of these messages are very persistent and use thousands of phone numbers to distribute the spam to thousands of recipients.  While there is no way to be certain, the targeted recipients of these messages could well be actual Craigslist account holders whose numbers have been taken directly from the official Craigslist site as mentioned earlier in this blog. We have visualised in the past how spam differs from OTT carriers and 'traditional' mobile carriers, but while the mobile carriers have been clamping down on spam, the OTT carriers spam levels have continued to stay high. Plus, with Craigslist apparently not proving to be very effective either at tackling these scams. It seems likely that Craigslist SMS phishing sent from OTT carriers will continue for some time.

If you believe that you have received a Craigslist phishing SMS be sure to report it to your cell phone service provider (AT&T, T-Mobile) and analyse carefully any Craigslist text messages you receive. As a rule of thumb, Craigslist will never send unsolicited messages asking for account information or for you to login to your account. Genuine Craigslist messages from other users containing a URL must have Craigslist.org in the URL (like the image below) and must land on the site Craigslist.org – Craigslist always uses this domain. If you are in doubt about a URL check the URL on a site like Whois.com to see who the URL is registered with and on what date the site was created on (phishing sites are normally only a few days old).

If you believe that you have been a victim of a Craigslist Phishing scam, see https://www.craigslist.org/about/help/phishing for more information.

I enjoyed the recent video created by Snapple named "Telegraph spam" so much I wanted to investigate the historical basis of the video and verify what spammers in the 19th century had in common with spammers of today. First of all what is spam? The word spam as applied to SMS, Email and other types of messaging means "Unsolicited & Bulk". This is the normal industry definition used by the anti-spam community. The name spam is derived from a famous Monty Python sketch. For us in AdaptiveMobile we see that the vast majority of spam text messages have what we call a 'call to action'. The call to action (CTA), is usually a URL, phone number or email embedded in the message. These call to actions are placed in the message so the sender or someone else can monetise or benefit from sending message to the recipient. The use of a call to action has been a factor throughout the history of spam, not just for email and text messaging but for any form of messaging.

The first bulk and unsolicited telegraph was recorded in the 1860's. Promotional telegraph messaging became very popular in this decade with innovations such as booklets of telegraph stamps and contract messages for tradesmen. On January 2nd, 1862 the London District Company offered, for the first time, an offer called 'Trade Circulars by Telegraph' at a special trade rate of 100 messages for 20 shillings a considerable discount from previous rates. This new discount, which presumably brought down the price to a level at which it was economic to send the unsolicited advertising/spam encouraged Maurice and Arnold Gabriel, trading as "Gabriel, the Old Established Dentists", to send out bulk advertising telegraphs,  about their practice to a large amount of people including some government ministers on May 29th, 1864. The first recorded complaint of a mass unsolicited commercial telegraph was reported the next day on May 30th 1864, when a British Member of Parliament had a letter printed in the Times newspaper:

 If we were to apply the techniques we use to analyse the telegraph, which was thankfully included by the Member of Parliament, the call to action in this message is the Dentist Messrs Gabriel address 27, Harley-street, Cavendish-square and their opening hours as cited in the complaint letter.

Today the spam landscape has changed in many ways, but some elements remain the same. Here in AdaptiveMobile we work every day in identifying new spam campaigns over mobile messaging.  The situation currently in North America is that the vast majority of bulk and unsolicited SMS/MMS spam messages come from what we term VoIP or OTT carriers. Some examples of everyday examples of spam we see originating from VoIP carriers, in these examples the call to action is the URL:

What do I mean by VoIP carriers? VoIP carriers are not the traditional mobile carriers, but small companies providing SMS or MMS connectivity to business or individuals using APIs. The messages sent via these methods are far more likely to be spam, than messages from ordinary carriers. To give an example  from analysis we carried out on spam rates from the 19th to 25th of May 2016 we can see that in the US and Canadian market a message from a VoIP carrier is over 1400 more times more likely to be a spam message than a message from the main big 8 carriers in North America. This is a consistent feature of mobile messaging spam in North America. We can even easily visually see the difference in spam that comes from VoIP carriers and those that come from ordinary carriers.

Why is it more likely to receive a spam message from a VoIP carrier rather than a traditional carrier in North America you may ask?

1. VoIP Carriers API’s- Many VoIP Carriers offer their customers an API where they can freely acquire and discard phone numbers. Thus when one phone number is blocked by an operator due to spamming activity, the spammer can easily acquire a new phone number. With 'traditional' mobile carriers API’s are not offered and the possibility of changing phone numbers is nowhere as simple as with the VoIP carriers with traditional carriers you have to buy new SIM cards or get a new phone to acquire a new number.

2. Ability to send snowshoe attacks- Like a snowshoe spammers can distribute the spam load over a large number of senders to great effect (usually in short bursts - which makes blocking more difficult), in order to avoid subscriber reputation blocking and other filtering. This is one of the reasons the majority of all spam blocked by AdaptiveMobile last month (and for many months) in North America came from OTT carriers using SMS services. With the availability of the API's persistent spammers can quickly and easily discard numbers blocked due to spam activity and acquire new fresh numbers to sustain or restart an attack.

3. Message Filtering- Many VoIP operators may not have sophisticated message detection and blocking systems active. Instead they may just have simple volume based systems that are easily circumnavigated by spammers.

The original complaint about the first known telegraph spam occurred 152 years ago this week, and in one sense we could regard this event as the beginnings of the anti-spam industry. It is clear, that the same situation then and now drive the formation and growth in messaging abuse. Once the economic factors make it attractive to send bulk, unsolicited messaging via a technology, then there are individuals and businesses that will abuse it. However if the years of dealing with spam have taught us one thing, it is that the ultimate deterrent is by addressing the economic factors. This is can be done via regulatory methods (fines, convictions), but normally the most effective methods are via:

• Technology: Creating advanced filters stopping the attacks before they are sent and so making the return on investment too low to justify staying in the ‘business’.
• System change: Looking at the underlying technology and closing any loopholes that make it overly attractive to send spam from.
• Education: Telling users what these attacks are about and making them aware of the dangers.

All together these methods, once taken seriously have a far greater chance of success than relying on any one method alone, as they make the economic reasons for sending spam less attractive. What is interesting that this very first telegraph spam involved members of the government trying to appeal to newspapers to change social behaviours and what they described as the "intolerable nuisance" of unsolicited messages. We can see from the history of spam a certain percentage of people will abuse a technology if it is economically advantageous to do so, regardless of social norms. The only answer is to take action to stop it. Little did the readers of the Times on the May 30th 1864 know that over 150 years later, we would be still dealing with the legacy of “Messrs Gabriel” and the "intolerable nuisance" of spam. 

Over the last few weeks Niantic’s location-based augmented reality game Pokémon GO has rapidly become something of a world phenomenon. It is now one of the world’s most popular mobile applications – recently reaching over 100 million downloads. While this explosion in popularity may be good for the developers of the game, it makes fans of the game far more vulnerable to cybercrime. At AdaptiveMobile, we are used to seeing spam that is topical and in line with current affairs. Anytime an issue captures the public’s attention spammers will often try to capitalise on this popularity by sending spam containing content related to that issue. For example, after the recent “Brexit” referendum in Britain we observed lots of “Brexit” spam (which played on the fears of many of the economic effects of Brexit). Similarly, since the release of Pokémon GO we have seen a lot of spam related the app.

Brexit Spam

"Forget Brexit,I WILL MAKE YOU $100,000 IN THE NEXT DAYS!Or I'll pay you $10,000! http://dyn.co/xxxxx SupportOurCause: http://dyn.co/xxxxx ReplyToStop "

"Look Adison, Here Is a Ridiculously Simple Way That Canadians Can Make 734$/Day After The Brexit! http://xxxx.Cash/BrexitDay"

The largest Pokémon GO SMS spam campaign we observed were messages sent to subscribers trying to entice them to visit a website called Pokemonpromo.xxx. Thousands of SMS messages containing a URL to this website were sent to North American subscribers. The website is a sophisticated phishing site that closely mimics the real Pokémon GO site. It claimed to provide the user with additional features to the game if they refer 10 of their friends (likely to spam them as well). This website is no longer active and has been flagged as a phishing site.

Pokemonpromo SMS Message

Pokemonpromo Landing Page

Another Pokémon GO spam campaign offered 14,500 Pokecoins (a type of virtual Pokémon GO currency used for in-app purchases) when you collect 100 points. The messages contained google URL shortened links leading to multiple spam web sites – some of which were Pokemon GO related and others which weren’t. A similar campaign offered a giveaway of Pokecoins on a web site called  pokemon.vifppoints.xxxx (and other variations of this URL), where it also prompted visitors to the site to share it with five of their friends. A phishing website called "Pokemon Generator" attempts to lure Pokemon GO users to give their login details so that Pokecoins can be added to their accounts. Links to these sites aren't only being distributed by SMS - they have appeared on social media sites and Pokémon forums as well.

Pokecoins SMS Spam Messages

Pokecoins SMS Spam Landing Pages

It is likely that we will continue to see Pokémon GO spam for some time - at least until the hype around the app recedes. Until then users of app should apply caution when visiting web sites containing content about Pokémon GO. Be wary of any of any unsolicted SMS messages you receive mentioning the app - particularly if the message contains a URL as this may lead to a phishing web site or a site containing malware.     

Thanks also to Mallesham Yamulla for research and contribution to this blog.

Robbed in Broad Daylight – SMS Identity Theft

As I scroll back over the recent SMS history on my mobile phone I see that a number of companies ranging from banks and e-tailers, to social networks have contacted me with automated messages. 

These Application to Person (A2P) SMS messages are meant to increase the efficiency of their business and crucially, the security of their services.

But ironically, with the rise of these A2P SMS messages, sent for purposes such as new service activation, two factor authentication (2FA) and password reset, comes the opportunity for another avenue of cybercrime exploits…SMS Identity Theft!

Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name. One aspect of identity theft is to steal a user’s details for online account access.  Some example SMS messages we have seen at AdaptiveMobile include (some brands redacted):

This approach, using SMS messages that resembles legitimate enterprise A2P messages, is becoming an increasing brand-damaging trend for many businesses, so much so that they are being driven to invest in broad consumer education through mainstream media advertising.

For example, Barclays Bank have now created a broadcast TV information advert which is also up on YouTube on the official Barclay’s channel at:

http://www.youtube.com/watch?v=XIKC8pKFol0

The advert shows how easy it is to become a victim of such A2P SMS fraud. It is not surprising how successful these scams can be as they often take advantage of new creative approaches, using confidence tricks to encourage some individuals into giving away their private information.

Such social engineering techniques clearly play a big role in delivering effective attacks by criminals. AdaptiveMobile continue to identify and block hundreds of thousands of attempts daily through our Messaging Protection solution deployments across the globe. For example, the following is a visualisation of such attacks occurring in the US using real life data, and highlights both the volume and sophisticated nature of these attacks. Visualizations of these messaging attacks demonstrate the effectiveness of these fraudulent manipulations, and illustrate the clever timings used that are designed to defraud unsuspecting consumers into divulging their personal banking access credentials.

Snapshot 1 - Psychological Manipulation: Attack “loops” show high volume of attack traffic appearing to come from local legitimate bank branches.

Snapshot 2 - Clever Timing: Attacks are seasonal - when banks’ helplines are often closed

In this attack, messages from local numbers appear more genuine to unsuspecting individuals. This then combined with closed customer helplines over national holidays increases the likelihood of a response - just what the criminals need to increase their success rate and ROI.

The use of legitimate A2P SMS by customer contact services such as the banking community has become commonplace. From individuals to enterprises to mobile operators, we now all need to be vigilant and take precautions to protect ourselves from the nefarious cybercriminals exploiting the growth in this type of communication.

While on a trip to New York City you might find yourself walking down 5th Avenue peering into the windows of designer stores such Coach, Prada, Louis Vuitton, and Gucci to view mannequins wearing the latest clothing, sunglasses and of course – the latest handbag.  The purse in the store probably costs more than your plane ticket to NYC, so you opt to pick up a less expensive counterfeit one from a stand around the corner for around $100.  You know it’s fake, but you also know that from afar, most can’t tell the difference.  The purveyors of these counterfeit luxury goods have the billion-dollar market cornered, and from what AdaptiveMobile can tell, they are trying to expand their aggressive advertising methods into that rising star of consumer markets: China. In doing so, they have uncovered a significant new method exploiting the way that the Apple iPhone operates with other devices.

The Attack

While AdaptiveMobile deals in multiple types of SMS abuse like account phishing and loan scams, one ongoing campaign in particular has caught our attention.  We have been investigating a trend that has surfaced in recent months involving counterfeit goods messaging spam being sent from North American phone numbers to recipients in China.  These messages usually contain references to inexpensive Prada and Coach Handbags as well as other luxury products.  Examples of these types of messages include:

��原单正品微信：18302028123 

❗奢侈品代工厂原单世界名包��,LV��,普拉达��，香奈儿�� ❗爱马仕，巴宝莉等等，工厂一手货源， ❗每件产品都是高端品。

❗拒绝高仿货，地摊货。 ❗长期招代理支持一件代发， ❗绝对正规广告！    ✅原单正品微信：18718881838

✅【支持品牌实体店验货】  绝对正规广告如有打扰，敬请谅解�� 646014B1-9DF3-4C5B-A5A8

Some screenshots of what these scams look like:

From our investigation, and with the help of our carrier partners, we believe that the vast majority of these spam messages have been sent using various models of iPhone, and in particular, by hackers using stolen iCloud account credentials to exploit the ability to send iMessages and SMS remotely.   

To recap, this spam campaign has been on-going for several months, but in many cases does not match the standard method of sending SMS abuse in that it is persistent, widely distributed, and the senders are, as far as we could determine, predominately iPhone users that did not exhibit prior spamming behaviour.  The timing of when the messages were sent was erratic, but the recurrent nature of the pattern triggered our deeper investigation.  We have seen these messages originate from most of the major telecom operators in North America.  We have also found reports of many customers noticing that messages to and from China, using both iMessage and SMS, have appeared within their Messages app.

Attack Execution

After much investigation over the past few months, we believe with a high certainty that the attack is actually being executed via compromised iCloud accounts.  We believe the steps to reproduce this spam campaign are as follows:

1. Hackers obtain compromised iCloud account credentials from various sources (for example: company data breaches, dark web forums, and phishing campaigns)
2. The hacker uses the stolen credentials and with them signs onto an Apple device of their own (Mac, iPod, iPhone, iPad, etc.).
   • The user who owns the credentials will receive a brief notification on their iPhone that a new device has been paired, like the following. However the notification may be missed by the unsuspecting user, and the notification itself does not have an option to stop access
3. The hacker then sends spam messages to recipients in China using iMessage.
4. If the end recipient in China does not have a data connection at the time (i.e. has iMessage enabled on their iPhone but does not have a data connection through a 3G/4G or WiFi network), the original message is “downgraded” to SMS and sent to the end user.  At this point, the message is sent via SMS from the associated user’s device to Chinese handsets.
   • After much experimentation, we were able to recreate an environment (see below, or here) where the sending iPhone device was remotely controlled and the recipient’s iPhone device was unavailable for iMessage, causing the iMessage to be downgraded down to SMS. There is a sizeable delay before the SMS is sent, but the end result is an effective delivery of spam.
   • This loss of data connection is common in China as many Chinese users disable their data connection when not used as data can be relatively expensive for the average user.
5. Some (irate) recipients in China will then respond to the originator iPhone either via iMessage or SMS, leading to the originator thinking that they are getting 'spammed' . 

We have captured a demo of the usage of the Send via SMS feature here, showing how the message gets downgraded to SMS and eventually gets sent:

How the Messages are sent from your iPhone

One key question is how exactly the attack is done within the iCloud system. The SMS are being sent using the "Send as SMS" service.  This is different from the "Text Message Forwarding" service, which is available through the Continuity feature and is what most people are familiar with. However there are key reasons why the Send as SMS service is used.

The Send as SMS is a fall-back method in case the iMessages can’t be delivered through a data link. After a certain timeout period of unsuccessful attempts, the messages are converted into text messages and sent from an iPhone with this option enabled that is associated with the same account. Text Message Forwarding enables a user to send SMS to anyone from a secondary Apple device linked to your iPhone. The recipient is not limited to iMessage users. The process includes authentication (a PIN is required), which requires somebody to interact with the iPhone sending SMS.

So the key difference is:

• ‘Send as SMS’ is limited to iMessages where both parties have iMessage accounts; for 'Text Message Forwarding', the recipient can be anyone.
• ‘Send as SMS’ doesn’t require spammer to interact with the linked iPhone, while 'Text Message Forwarding' requires the hacker to interact with the linked iPhone in order to link up an extra device.

With this distinction, you can see that while Send As SMS is more limited in that the recipient must be an iPhone user, it does not require any Two-Factor-Authentication to be intercepted on a secondary device and thus is a very powerful attack method. Another point is that the attackers probably don't care if the spam they 'inject' into the users' accounts is sent via iMessage or SMS as long as they are successfully delivered. It is, however, damaging to the user whose account was compromised. 

These messages are then sent rapidly in bulk, leading to the account user's iPhones Messages app conversation list to start showing sent messages which they did not personally send:

Overall Impact

Having shown how the attack can be done, we now can discuss the impact. As well as users having their accounts hacked and being used to send iMessages and SMS, there are also several other consequences. First, the sender is likely to be hit with sizable bills for any large scale number of SMS messages that are being sent to China.  Second, they are technically breaking a typical operator’s terms and conditions by sending spam in the first place (with or without their knowledge), and due to this are liable to have their service downgraded or even terminated. Finally, the sender is likely to receive complaints and abuse from those who have received the spam from the compromised iCloud account.

Going into the numbers, we can confirm that the number of affected subscribers is sizable. In the month of July & August, AdaptiveMobile detected over 280k SMS messages that matched these patterns being sent from North American carriers to China, from over 3,200 subscriber phone numbers - each one a person who likely had their iCloud account hacked. The sending rates per phone number varied, some of these senders were detected sending thousands of messages leading to a potential sizable bill.

One interesting additional point to note is that North America numbers may be especially attractive to use, as Chinese Mobile Numbers are very similar to North American Numbers.  The recipient in China will not easily see a difference on their handset when they receive the message and thus will likely think that the message came from another user in China.

Its important to remember that iMessages (and domestic) spamming targeting Chinese subscribers has been active for some time. But as we have covered before, there has long been a trend to use international senders, due to the fact that the Chinese operators and the government punish domestic spammers heavily. However, it is much harder for them to deal with spam messages from international SMS sources and from iMessage making this method much more attractive.

While we have detected and tracked this from North America, there is strong evidence to suggest that other geographies have been infected as well as users in other parts of the world have also reported this.

Stopping the Attack

Discovering how the attack happens is only the first part of the multi-pronged solution that will be needed to stop it.  While AdaptiveMobile is capable of blocking the spam when it is converted to SMS, the ultimate fix is via customer education and improvement on iCloud security. In the end, defeating these scammers will take a community effort – not just from Apple, but also from telecom operators and consumers. 

Operators can protect their customers from unusual spikes in international traffic, Apple can and do recommend using strong passwords and Two-Factor-Authentication on their accounts, and consumers should learn about and own their own personal security paying particular attention to login alerts from new devices. In the future, Apple should look at ways to further secure iCloud accounts, one potential way would be to ensure that new paired devices are vetted.

In the interim, if you believe that your account has been hacked and is sending messages you don’t recognize, there is  some advice online. However, we also recommend performing the steps below:

To deactivate:

1) Go to https://appleid.apple.com, login using your icloud account
2) Change your password

3) Unlink any devices that you don’t recognize

You could also help by never buying a counterfeit handbag, whether that be in Beijing, New York or online!

Many thanks to Yicheng Zhou and Abhijith Pillai for contributing to this blog

iCloud account hacks on celebrities - such as Pippa Middleton - have been in the news again in the last few weeks. While these attacks often generate attention when they arise, and make people aware of personal information they are storing on iCloud, there is another, much larger ongoing campaign, using hacked iCloud Accounts over the last few months that iPhone users should be aware of. We reported on this problem of hacked iCloud accounts being used to send SMS a few weeks ago. Since that time there has been several changes, and the number of people being impacted by this has increased hugely.

To recap, the problem is due to attackers accessing people's Apple iCloud accounts - probably through social engineering or by guessing the password to the account - and the iPhone that is paired to the iCloud account then being used to send large amount of iMessages spam to Chinese iPhone recipients. While iCloud hacks are nothing new, the real problem in this case revolves around the way that Apple have implemented the Send as SMS feature, specifically that this feature is used if the recipient iPhone is not reachable anymore using iMessage, and so SMSs are sent instead. This causes financial impacts to the person who owns the account, as well as the inconvience of simply having their iCloud account hacked.

In a nutshell, iCloud accounts are being hacked, and the iPhone attached to the hacked account is then being used to send iMessage spam to Chinese iPhone recipients. But if the Chinese iPhone recipients are not connected to the data network, the iPhone attached to the hacked iCloud account will send the iMessage as a SMS instead, without any ability for the user to stop it. 

How the Attacks happen

1. While the exact method in which the attacks get access to the iCloud accounts has not been proved, it is probable, that first the hackers obtain compromised iCloud account credentials using various known methods, such as phishing campaigns, guessing of passwords or some other means. The hacker then uses the stolen credentials and with them signs onto an Apple device of their own (Mac, iPod, iPhone, iPad, etc.). An example of a SMS phishing message for iCloud looks like the following:
   • Apple ID: An Unusual login attempt has been detected. Please Sign in and Continue. http://www.apple.com.account.update.verification.[REDACTED].com.br
   • These types of spams are very common, and have been reported on extensively in the past. This particular spam message points to this login screen:
2. Once the hacker has the login details they will login and attach a new Apple device to the iCloud account. The user who owns the credentials will receive a brief notification on their iPhone that a new device has been paired, like the following; however the notification itself does not have an option to stop access
3. The hacker then sends spam messages to recipients in China using iMessage.
4. If the end recipient in China does not have a data connection at the time (i.e. has iMessage enabled on their iPhone but does not have a data connection through a 3G/4G or WiFi network), the original message is “downgraded” to SMS and sent to the end user.  At this point, the message is sent via SMS from the associated user’s device to Chinese handsets.

This video here shows exactly what is occurring for step 4, and how the sending message gets converted from iMessage to SMS:

The overall impact of this, as we covered, is as follows:

1. The iCloud account has been compromised and the associated iPhone to the account is being used to send iMessage/sms spam, prompting angry responses from those in China that receive the message.
   • Incidentially : this sometimes causes confusion to those whose account has been attacked, giving them the impression somehow that they are receiving the spam messages, as they did not sent the messages manually themselves
2. The user may end up paying to send potentially thousands of these SMS messages to China, causing a huge bill to them. This varies depending on the plan and the carrier the user has, but to give one example this may cost them $0.20 per SMS message sent. Some devices have been recorded sending thousands of messages so this bill could be sizable
3. The possibility that they may have their service disconnected by the mobile operator, for sending spam sms messages.
4. There is also the fact that the iCloud account that has been hacked/compromised in the first place, meaning the attackers may have access to any information in the account

Increasing Impact

In our initial blog, we reported that:

• we have seen over 3,200 phone numbers in North America had been affected in July & August, and these had sent over 280k spam sms messages, along with an unknown number of iMessage spam.
• Since then, however there was a large escalation in sending activity. Cumulatively, (including July and August) by mid October we had detected over 11,500 phone numbers sending these messages, who had sent over 750k SMS messages.

To show this, the top graph below, is a moving average of total SMS spam activity from these iPhones detected within our customer operators in North America. You can see that the number of messages peaked in mid-September, and since then the overall volumes have declined. However, in the bottom graph, again using a moving average we can see that the number of active senders per day peaked later - at the end September/start October, and has actually remained higher than it was before the increase in mid-September.

This is indicative that the spammers are now sending less spam messages per hacked account, presumably to improve effectiveness and avoid detection. It also shows that even though spam volumes and the number of spam-sending iPhones have declined from their peak, there is still an upward trend in compromised iCloud accounts and their associated iPhones. While numbers have declined since the spikes, the problem remains.

Indeed, even though the above stats is from North America you don’t have to look far to see evidence of people having their iCloud account hacked and iMessages being sent worldwide, with reports of people being affected in the UK and Singapore. iCloud accounts being hacked to send spam messages to China are a global phenomenon.

New Attacks

The other major change is in the type of messages being sent, whereas originally the type of scams being sent were mostly aggressive advertising campaigns, trying to sell counterfeit good, now we are seeing many more spam campaigns featured gambling websites. The content of these messages often are of the following format:

And their purpose is to direct the users to gambling websites, like the following:

The fact that now there are now multiple different spam ‘campaigns’ is also worrying. This means that the criminals who gain access to the iCloud accounts, and send these messages may now be diversifying or offering their service to cover different types of spam. Whereas at the start it was fake goods, now it is being expanded to also include gambling advertisements. This is always a sign that attempts are being made to broaden the scope of what can be done with these hacked iCloud accounts. 

Destination of the Attacks

The target for these attacks is still Chinese recipients, in fact it is quite interesting if we plot out the recipient number by the province in which they are registered. To give some background, in China, like North America, mobile numbers can be allocated by range to the province to which they are registered from. Using this method, we can plot out out the main geographic focus of attacks.

Like the US, it is not the phone number’s actual location, but it is a good guide to see what areas are of primary focus. While it is generally spread out by region, we can see that the largest numbers of attacks are targeted to iPhones registered with phone numbers from Guangdong province in the south. This province is China's most populous, but it is targeted much more than would be expected. One reason could be that Guangdong borders Macau and Hong Kong. This fits into the pattern for the recent change of iMessage spam to include advertising of gambling sites, as most, if not all of these are based in Macau. While gambling is officially illegal in China, Macau's gambling industry is many times the size of Las Vegas, and so iPhone users from Guangdong may be disproportionally targeted as the spammers may want to focus on people from neighbouring areas.

This geographic focus obviously means that the spam attacks are not random, and is another indication of the sophistication of the attacks. The purpose of the attacks in the first place is to send spam to Chinese iPhone subscribers, and so this ability to tailor the spam to certain regions means that the attackers can offer specific services for any spam they want to send in the future. We have covered before the out-sourcing of SMS spam sent to China to US devices, due to the attraction of sending spam from external sources, and the difficulty in sending spam within China, and these type of attacks are an extension of that.

What to do if you’re Spamming

We previous covered before some recommendations if you suspect that your iCloud account has been attacked, and you phone is sending these messages, so here they are again:

1) Go to https://appleid.apple.com, login using your iCloud account

2) Change your password

3) Unlink any devices that you don’t recognize

To this we can add to contact Apple if you are in any doubt (via social media or directly), - i.e. their twitter support handle is @AppleSupport, as they can explain and help you deal with the problem, and would be the primary source of information on what to do.

To prevent being hacked in the first place, there are also two other main recommendations

1. Its most likely that the attackers are getting access to the accounts by guessing the password or by using phishing techniques. So always use strong passwords, and always be careful if you get asked for your Apple login details in suspicious emails, text messages or websites.  
2. Enable two step verification on your account. Details on how to do this are here, this means that future attempts to attach new devices will need to be verified by you. Note this procedure is different from two-factor authentication.

Finally, while mobile operators can detect and block these attacks when they switch to use SMS, there is actually little more they can do, as the source of the attack are from the iCloud accounts, attached to iPhones. Instead responsibility primarily lies with people to make sure they protect their account as much as possible, and with Apple to ensure that these attacks using the hacked iCloud accounts can’t happen. The first is easier said than done however, and in many cases the iCloud account access may have been obtained through a variety of methods, through social engineering, weak passwords or leaked account details. For the second, the best recommendation is to alert Apple when your iCloud account is hacked into, to make sure that they take action on their side to improve security in the future - that if accounts are hacked into that the account owner cannot be used to send spam and to suffer financial damage

Many thanks to Yicheng Zhou and Abhijith Pillai for contributing to this blog

Like him or loathe him Donald Trump is one of the main news stories at the moment . He also seems to be generating interest from spammers as well. We at AdaptiveMobile released a blog last year that displayed how spammers will capitalize on any issue that captures the public attention, by sending related spam. Prior to the inauguration on the 20th of January we examined traffic to see is there any President-elect Trump related spam. Over the last few months we’ve seen President-Elect Trump’s popularity is being capitalised on by spammers, who are sending spam SMS from VoIP operators that use the Trump name or brand.

Campaign 1: President Trump Loans

The main and largest Trump related Spam campaign we saw over the last 2 months was sent via aggressive SMS to subscribers in relation to online loans. This is a long running Spam campaign that has only in the last few months incorporated a claimed Trump vouch of approval. You can see some sample messages in the image below :

The URL embedded in the SMS redirects to an aggressive loans website shown below. Note there is no mention of Trump on the website, indicating that the attack is not actually built around the Trump 'brand', but its only the text message that uses it (so far).

In one of our North American mobile network customer’s, we could see that this loan campaign targeted all 50 states and Washington DC. There were over 60,000 messages sent from VOIP operators, where each message mentioned President-elect Trump. While these attacks were blocked, to see if there was any patterns to those who were targeted, we calculated how many people per state were targeted by a spam message from this Spam campaign. To calculate this we divided the population of the state by the total messages targeted to the given state. Note: the destination state was determined by the area-code of the attempted recipient of the spam

The distribution of the campaign in the US can be seen below:

The more red a state is, the more spam per person it was targeted with. It is interesting that the campaign is most concentrated in states that voted Republican in the 2016 Presidential election, with 9 out of the top ten targeted states voting Republican (the outlier being Washington DC). However it can be difficult to come to a conclusion as to why these Republican states were targeted more per person than other states, it might be due to chance, income levels per state, the fact that President-elect Trump won more states or maybe due to a list of recipients the spammers had available to them.

Campaign 2: Make Money Quick Trump

The above was not the only spam campaign to try to profit using the Trump brand. In the last week between the 10th and 11th of January we saw another spam campaign that also used the Trump name. This spam campaign is also from a VoIP operator and is for a make money quick scheme. You can see a message below. All messages had nearly identical message content:

The URL embedded in the SMS redirects to a link like: xxxxx-moneyxxx.com. Once you land on this URL a video starts that entices the viewer to work from home and earn money by “barely” working. Again there is no mention of Trump in the video, showing that the spammers were simply reusing the Trump brand for an existing spam campaign.

This make money quick scheme campaign again targeted all 50 states and Washington DC. In a 2 day period there was over 30,000 messages that reference President-elect, sent from VoIP operators. To examine the information further we again calculated how many people per state received a spam message related to this Spam campaign.

The results of this campaign were more evenly spread across the states as you can see from the below map. Again in this case the more red a state is, the more spam per person it was targeted with.

This time the top states with the low messages per population statistic voted both Republican and Democrat, it remains to be seen if this trend continues over time.

So what can we conclude from this? , well first, we are seeing an increase in the amount of Trump related spam, and the trend of popular issue related Spam campaigns continues. These phenomenon is not exclusive to President-elect Trump btw, in the past we encountered Obamacare spam, such as the following:

Obama Care open enrollment starts TODAY, November 1st. Pick your plan here if you haven't or if you want to change/upgrade/downgrade http://goo.gl/0XXXXX

Although that was targeted more at the Affordable Health Act, rather than using the President Obama ‘brand’ itself.

Of the two campaigns examined we do not have enough evidence to conclude that the first campaign (the Loan spam) was indeed targeted to states by political orientation, but previously we have seen attacks targeted by the presence of small regional banks, income levels, and even number of unattached males so it may well be the reason, or at least one reason of many. Certainly, this Loan spam campaign varies from the 2nd campaign covered -  the make money quick scheme -  which was interesting as it was evenly distributed throughout the states and showed how we expect campaigns to be distributed. Overall, it seems likely that the more the new President remains in the news, the more likely that spammers will continue to try to cash in on his "brand". As a result its likely that more people in the future will be receiving attacks on their cell phones, purporting to come from, or be recommended by, President-elect Trump. 

In the last episode “The Oath” of the Netflix series “Designated Survivor”, there is a need for an FBI agent to track down the location of a mobile phone. Their solution is to access the SS7 network, which as they describe as “the method that allows every cell tower to talk to other so your phone works anywhere in the world”

This description is broadly correct, although to be precise, strictly speaking celltowers do not use the ss7 network, they connect to core network elements that do. The method used in the TV series itself is a bit more dubious technically, the actual method that is used in the show seems to be the lookup of CDR files, which are billing files generated as the outcome of SS7 network activity, rather than directly ’hacking’ the SS7 core network. Regardless, using this approach, the agents are seemingly able to locate the device that made a call to the heroine of the series, and (somehow), they are then able to track down the shop at which the phone was bought it. While looking for complete or even partial technical accuracy in a TV series is not recommended, what it does show is how the awareness of mobile network security has made itself even into the mind of Hollywood script writers.

This also illustrated something that we have been aware of for a while, while there may be a perception that the SS7 network is easily abused, in reality, right now it isn’t. Unlike a TV show, it takes more than a few keystrokes to abuse the SS7 network, it takes expertise, money, and access. But from what we have seen, once attackers have all 3 they are making sophisticated use of SS7, because once you have this ability, you want to exploit it fully.

In general, there are probably 3 main classes of misuse of SS7 networks

1. Anomalous, but not malicious traffic. This can be everything from malfunctioning nodes, attempting to send for all subscribers rather than their own, to unusual implementations of legitimate services, to anything else which is not known to be malicious. The skill here is in identifying this and making sense of what is malicious and what isn’t – not always easy to understand.
2. Malicious attacks, up to a medium-level complexity. These are the more well-known location tracking, fraud and information harvesting attacks, and were the main type of attacks that operators encountered when they started to investigate SS7 security in depth. As time has gone on, the perception of ‘simple’ has risen in complexity to cover more and more types of attacks. These can normally be well defended against
3. Malicious attacks, of advanced complexity. This is the type of attack that takes investigation to even identify in the first place, and once identified requires detailed understanding of what the attacker is trying to achieve and how, in order to build consistent defences against. These are the most advanced type of attacks they will increase in complexity as time goes on

We are actually seeing a progression over time (i.e. over the last 2 years), where some of the attackers who have access to the SS7 network have progressed to trying to use more and more sophisticated methods to achieve what they want, especially now that a large number of operators have begun to implement defences. One thing that helps these attackers are operators who just deploy standard, off the shelf Firewalls, or simply upgrade existing network equipment to block known malicious, medium-level complexity attacks. Without a dedicated security element, over time the determined attackers will try more advanced attacks and are able to find holes through the initial defences. Like a body trying to deploy antibiotics, without a sufficient and evolving defence over time the attackers will mutate and overwhelm the existing static defences.

Diagram shows a recent recorded incident of where an attacker managed to penetrate an Operators SS7 defences with Send Routing Information (SRI) packets. These type of Packets can be used for both subscriber information harvesting, and as a precursor to further attacks

Surveillance, and interception of communications are big business, both in the past and even more so in the future.  With recent reports and warnings from security agencies of information being shared over SMS there is a need to make sure that mobile networks are fully protected. Unlike what was shown in the Designated Survivor episode, it may not be as easy as a few clicks, for an attacker to get access to the SS7 network. But once they have access they will use it and it is only logical they will continue to improve their attacks and try to bypass any defences put in place so they can continue to get value from it. The key for Carriers who want to protect their networks and their subscribers is to start planning now, assume these (designated) attackers will be constantly testing and improving, and get ready to defend for the long-term.   

The topic of telecom signalling (SS7) security has been in the news again, from reports on banking fraud being enabled by having SS7 access, to new reports issued by the US FCC and the US Department of Homeland Security. Recently it seems that both criminals and governments are waking up to the potential threat of malicious SS7 access.

While the attacks do generate concern, there is a potential greater danger from the idea that the world's telecom networks are inherently unsafe and that the problem is unfixable. This is not the case if operators put in place defences on the SS7 network, and to show the reasons why, we can give an overview of a much more sophisticated attack that we successfully detected.

Soon after going live in one of our customers – a mobile operator in the Middle East - we encountered a very unusual type of attack. A previously unknown attacking ‘platform’ (a malicious system connected to the global SS7 network), based in Central America, had sent a specific command to the operator targeting a particular subscriber, i.e. a mobile phone user. This command – an InsertSubscriberData (ISD) packet - was sent to a SGSN that the subscriber was attached to. It instructed the SGSN to change the settings for the subscriber, basically to inform the attacking node if the subscriber set up a data session, and wait for instructions on how to route it. While this attack was successfully detected by our SS7 Protection firewall, it did open up a very interesting line of inquiry.

From our research, it became apparent that using this method the aim would have been to redirect the user’s data connection, to travel via a specific access point name (APN - a gateway between the mobile network and the internet). In theory, using this method, an attacker could then try to eavesdrop on any (unencrypted) data communications from the device to the internet.

Without going into specific detail, the attack would have executed like the following:

1. Attacker SCP node sends a malicious ISD command, changing the subscriber's CAMEL settings
2. Targeted subscriber attempts a data session.
3. Via the CAMEL protocol, the SGSN the subscriber is attached to contacts the Attacker node for verification, which returns back the ‘Bad’ APN.
4. SGSN resolves the APN to a corresponding ‘Bad’ Attacker Node GGSN , and establishes a GTP tunnel to the ‘Bad’ Attacker GGSN. All IP traffic from customer handset travels via this path. This traffic would then go on to the internet or any other external point, but the attacker would be able to monitor and (and potentially manipulate) this traffic

One particular important point is the initial malicious ISD (InsertSubscriberData) command was detected, and the subsequent steps (2 to 4) did not occur. However, the particular settings within the ISD command allowed us to determine what the attackers were aiming for if the attack had been successful.

This event was notable in a number of ways:

• First, while methods to intercept SMS and call interception using access to the SS7 network had been known in the past and reported, this particular method of doing data interception was not well-known. While something very like it had been theorized in the past¹ this was a real-life attempted data interception attack that was detected, not an academic possibility. While we did not witness the attack proceed beyond the attempt to change the subscribers settings, the next steps of changing the APN and eavesdropping on the user’s data traffic would have been theoretical possible in the operator’s network. This means that the attackers not only knew this method, but had probably tried it before in this or other operators, with a good chance it may have succeeded.
• Secondly and more importantly this shown the benefits of having SS7 Protection in place. While the dangers are real the fact is that defences in SS7 network - when put in place - combined with intelligence, work. What’s more, previously rare or even unknown attacks can be detected and defeated. In this particular case, an AdaptiveMobile supplied SS7 Protection firewall was in place, monitoring incoming international activity into the operator. This meant the initial ISD attack was successfully triggered on by the Firewall before it could cause any damage. 

In this particular attack case the typical operators that would be vulnerable to this particular attack are operators that have a lack of SS7 security controls but also  a sophisticated enough CAMEL network to enable this (CAMEL v3 and above), so this would be a smaller list of possible target operators than for other type of SS7 attacks. However as attackers typically aim at the weakest members of any system, then if some mobile operators have protection and others don’t, it means the ‘have-nots’ are even more at risk.

Nonetheless, the fact that we are still learning the total attack possibilities within SS7 means that even the ‘haves’ should not be complacent. Mobile operators should put in place defences to detect and actively block not only attacks that are known today, but also to handle any changes in attack methods or targets. As many attackers know, data is key, and the more intelligence that mobile operators have about the threats affecting their network, the better they can protect their subscribers.

1: Slide 19

One of the interesting things when applying security to the world’s mobile phone network is that you can come across completely unexpected events that initially have you stumped, but by investigating them they can lead you to get a better understanding of the threats to the network, as well as your own knowledge.  One recent event we have come across is when our systems detected a mobile phone number seemingly moving between dozens of different countries every day

If the SS7 traffic being generated was trusted, and the mobile phone user was actually at these individual countries, then it was going at incredible, and bascially implausible, speeds. Below is an animation of a straight line path between all the different countries that the subscriber was present at each hour during the day, showing the huge range of countries visited per hour, with Mexico, China, and the Philippines being the most frequently ‘visited’.

A different way to visualize this is to show the full 24 hour activity, with the different colours representing the different activity per hour

As a thought experiment, taking the midpoint of each country, we estimated that the mobile phone achieved at one point a 'top speed' of 66 million km/h  (41 million mph), which is 250 times faster than the Juno probe, the fastest ever human built object!. An alternative, and nerdier, way of looking at this, is that the phone was potentially travelling at 6% of the speed of light. So clearly something unusual was happening, the question is what, and whether it was a threat.

First of all, to give some context, the subscriber in question was causing SS7 packets (called SendAuthenticationInfo packets) which contained the same IMSI number (the subscriber identifier assigned to a SIM card) to be sent from multiple countries worldwide throughout the day. These packets are the first stage in a subscriber registering on a new network. From working with our customer, we soon determined the packets & IMSI were not a threat, but the question was still what was causing the behaviour. Spoofing attempts were ruled out as we were quite confident that the worldwide network elements sending the SAIs were real and they believed that the IMSI was actually in their network.  

One possible answer came when there was a mention of the IMSI on Chinese language websites also connected to iPhone unlocking and jailbreaking, (note: unlocking is the process of changing your iPhone so it can use any SIM card from around the world.) Following this clue, we investigated in more detail how exactly iPhone unlocking works.

How these unlockers work is complex and varied, but one particular type basically involves the use of a special chip, that fools the iPhone into temporarily thinking that it has a SIM card with a different ‘dummy’ IMSI in it. A YouTube video showing this is below:

You can see that once the dummy IMSI is used, the person with the phone rings a special number 112 to help complete the unlocking. And indeed, when we examined the dialling pattern of our fast-moving SIM, we could see that the majority of numbers it dialled was 112*.

So, while we could not confirm it 100%, if the fast-moving SIM was actually one of these dummy SIMs being used by an iPhone unlocker, what we were seeing is dozens of people around the world independently trying to use these chips, to unlock their iPhones. The chip would cause the phone to think it had a SIM with this IMSI for a moment, but the mobile network that their iPhone was connected to would pick up this new SIM, and then attempt to start the authentication procedure with the IMSIs home network (our customer).  This would give rise to the same ‘subscriber’ to be seemingly traveling around the world, and fit the pattern we saw. The dialling of 112 that we saw also gave further evidence of this.

We could see further indirect proof of this in that activity in the different time zones seemed to be common, i.e. activity was most intense during the same hours (evening) in China and the Philippines, whereas Mexico activity was earlier, again during their evening hours.

While this case is on the minor scale of the suspicious activity we would see on signalling network - it would certainly not be on the same scale of state sponsored platforms using the SS7 network for surveillance for example – it does show the need to apply intelligence to alerts in any monitored system, be that SS7 or otherwise. Its not enough to simply have alerts, unless you apply intelligence, analysts can be overwhelmed with ‘noise’, and attacks that deserve closer attention get lost. 

*Note: besides the questionable nature of the whole SIM unlock process, this use of 112 is especially problematic, it does not directly access emergency numbers in China - but it does in Europe, the US and many other countries, and so using it for non-emergency purposes is arguably illegal.

Today we announced the release of our new product SIGIL. Short for SIGnalling Intelligence Layer, SIGIL is a cloud-based service that analyses the outputs from telecom signalling firewalls around the world. By applying a series of algorithms to this activity, SIGIL is able to provide intelligence about both Global and local attacks to any signed up mobile operator. In short it allows operators to really understand the risk of SS7 attacks in their network. Furthermore, it also allows them to reduce that risk by leveraging advanced research on attacks that have been seen elsewhere to greatly improve their defences.

The origin of this idea came from a series of events we encountered last year. In this period, what we call the ‘Central Asian Scanning event’ occurred, where multiple customer operators worldwide received a burst of suspicious SS7 activity from SS7 addresses in Central Asia. If you were to examine the activity in each operator in isolation it would not be so interesting in itself.  However when we combined the information and research  we could see a much more complex picture of probing defences for use in advanced attacks. Once we recognised the seriousness of this attacker, we classified this as a high-threat ‘Attack Platform’ and rigorously monitored it carefully in multiple customer operators, ensuring that it wasn’t successful.

SIGIL visualization of mTAN interception platform

Unfortunately, this attacker is also the best known public example of malicious SS7 attacks, as it is the source of the successful banking mTAN interception attacks in Germany reported a few months ago. While we cannot go into too much details as this criminal group is under legal investigation (which we are assisting), for us this was a graphic illustration of the benefits of collaborative intelligence and research.  A single operator investigating this would have struggled to determine the true risk behind this until it was too late, especially as it tries to stealthily bypass defences and may not be noticed. This for us was the impetus to build SIGIL, as it tackles 3 key areas that operators need assistance with in the field of SS7 Security  - Understanding, Defending and Predicting

Understanding the Threat

The first is that it can be a struggle for Operators to understand what is really going on in their network. Signalling firewalls use a series of methods to detect activity that seems abnormal and report these, the volumes can vary but it can be between a few thousands to several hundred thousand events a day, depending on the size of the network.  Beyond that point, Firewalls typically provide little in the way of commentary or intelligence.

We found that through our investigation and research we could start to separate out the ‘noise’ events from really malicious attacks.  Being able to classify and identify the different malicious activity, and combine with intelligence is really essential in any cyber-security area. If you don’t do this, security teams end up focusing on high-volume but low risk attacks, while the truly dangerous activity (normally at much lower volumes) which should be tracked carefully gets missed. To help operators we’ve built much of this research into SIGIL. In practical terms operators can know if that burst of unusual activity is as simple as a badly configured telecom node in somebody else’s network, or a criminal or state-sponsored group trying to intercept communications and subscribers need to be warned.

Defending the Network

Following closely on from understanding the ‘badness’ in an operator’s network by using SIGIL, the operator can now make much better decisions on defending against attacks and engineering defences. At a high-level this allows the operators to have more certainty on whether to block unusual SS7 activity or not.

This decision on whether to block or allow is not always apparent. Experience and knowledge in SS7 Security is not a widespread skill. Technical and network staff in Mobile Operators know their network, but knowing how attacks actually manifest, and how to look for attacks which may have evaded initial defences is different. We’ve spent a lot of time using our experience to building up algorithms that are part of SIGIL. The practical benefit of this is that staff in operators don’t have to spend the same time trying to replicate the same effort, and can focus on dealing with the attacks themselves

Predict the Future

Finally, and possibly most useful, by using SIGIL operators can also receive a feed of information on not only attackers that they have experienced, but also about sources of attacks that they have not experienced yet, i.e. information on attackers before they can strike the network. This has obvious benefits in allowing them to block sources of malicious signalling activity ahead of time. 

It also helps defend against potential future developments by determined attackers. Intriguingly, we are starting to identify and detect looser connections between these Attackers, which show that many of these Attackers may re-use the same methods and access points. Examples of this is that we have seen cases of both criminal and state-sponsored malicious users of SS7 networks, sharing similar (but not identical) techniques and access points, and these similarities are evolving. This is an area of future research but for now it means that knowing in advance the sources of complex attacks elsewhere, and not waiting for them to attack each operator, is critical

We believe that SIGIL is a critical development in the evolution of security for mobile operators, and ultimately will help all of us who use mobile phones, as these rely on the security of the SS7 network. In the seemingly never-ending Game of Phone security, SIGIL provides understanding, defence and prediction to help level the playing field.

There has been a surge of reports recently in Ireland about missed calls being received by Irish mobile phone users, who then ring back these numbers generating the missed calls and are then charged large amounts of money. What is happening here is a form of mobile fraud called Wangiri, and the goal here is to social engineer/trick people into ringing back these numbers, causing their account to be deducted several euros at a time.

Wangiri

Wangiri is a Japanese word that literally means ‘one ring and cut’. Initially used to describe a form of communication using number of ring-tones, it now means specifically this kind of fraud. As could be guessed from the name, a fraud type based on this seems to have been first used and reported in the early 2000’s (2002) in Japan. How the scam works is as follows:

1. the fraudsters will initiate thousands of calls, often to random target numbers.
   • The number that is displayed as being the dialling (originating) number is normally a foreign phone number, which is unknown to the owner of the target number
2. The fraudster will cease (cut) the call immediately after it rings
   • If a recipient is fast enough to answer the call in this initial ring period they will hear silence or sometimes a meaningless pre-recorded message like “You are on hold for the finance department”
3. For a certain percentage of people, due to curiosity or habit, will see this missed call and dial it back, at this point they will be charged money for making this call (and staying on it) and the fraudsters will receive a % of this money.
   • This percentage of people that rings back is called the callback rate, and fraudsters will try to maximise this as much as possible

The originating number that will appear in the missed call is normally a number in a foreign country, and crucially, this is a Premium Rate Number (PRN) or some other high-cost number. A PRN is a number billed at a different rate to ordinary numbers, normally much higher, and this money comes directly from the victim who makes the call back to it.

Example volume of received Wangiri calls by Irish Mobile Subscriber

In these cases, the fraudsters have obtained (through legal or illegal means) ranges of Premium Rate Numbers in countries around the world, ensuring that they get a percentage cut of the money that accrues to these numbers when people dial them. One technical fact most don’t realise is that the calling number displayed – the Premium rate number - doesn’t actually mean that the phone ringing you is in that country. i.e. even though the number you receive says it is in Liberia (+231), this does not mean that a phone in Liberia is ringing you.  In most cases the Fraudster will have connected to systems that allows them to dial remotely and set these PRN numbers as the dialling party. This allows the fraudster to cycle through different Premium Rate Number ‘ranges’ over time, and can make blocking after the fact quite difficult.

Camscéim Aisghlaoch

There have already been a few incidents of Wangiri calls in Ireland in 2017, however, this latest attack over the last few days seems to have been of particularly high volumes. Basing it on our own experiences (AdaptiveMobile Ireland personal) up to 30% of Irish numbers could potentially have been affected. If this is repeated throughout the country it would be an enormous volume of call requests, and initial news reports do indicate that it was indeed at an unprecedented scale.

More typical, is that the calls seem to be using a range of numbers from several different countries. In Ireland, over the last few days, Wangiri calls with numbers from the following countries have been reported:

• (+43) Austria
• (+212) Morocco
• (+216) Tunisia
• (+231) Liberia
• (+235) Chad
• (+247) Ascension Island
• (+252) Somalia
• (+269) Comoros

Map of Origin of Callback Numbers used in Recent Wangiri Attacks

And there is highly likely to be others. The recent attack ins the last week are not an isolated attack however, in the past few weeks PRNs from several other countries including:

• (+678) Vanuatu
• (+381) Serbia
• (+676) Tonga
• (+222) Mauritania
• (+248) Seychelles
• (+674) Nauru

had been reported in an earlier ‘wave’. This use of multiple country ranges over time is to be expected. As explained earlier, it’s not that the Wangiri calls are actually coming from these countries, but that ranges from these countries are being used. Fraudsters performing Wangiri attacks will normally have many PRN ranges they can swap and cycle through to execute the attack, and the attacks will continue for as long as the Fraudsters believe they can make money.

On that point, it’s too early to judge the success rate for these attacks. But within the telecom fraud industry, call back rates for Wangiri can potentially be surprisingly high – an ‘effective’ attack can be up to between 10 to 15%. Even assuming a lower call back rate of 1% - based on the potential volume - the impact to Irish mobile phone user of tens of thousands of calls each being charged several euro over the course of a few days can quickly add up over time.

Missed Call Scam

As stated earlier, it’s likely, that even if incoming Wangiri calls using these numbers are blocked in the future, that more attacks will continue with new PRN ranges from additional countries. In the long-run the best defences would be for the mobile operators affected to invest in systems that identify the attacks pro-actively as they happen, and block before they can affect Irish mobile phone users

For now, the best advice would be to:

1. Do not answer calls that you don’t recognise from abroad
2. If you do ring back, hang up as soon as possible – even if you still hear a ‘ringing tone’. In many cases the fraudsters will play a recording of a ringing tone and you may think the call has not connected, but you will be charged the longer you stay on
3. Report this call, and the sender of it, to your operator, so they can try to prevent the source range
   • As additional counter-measure if you are getting really hassled with incoming calls would be to block numbers or number ranges on your handset. However, for this you may always be playing ‘catch-up’ as the fraudster use new numbers and ranges.

Ireland certainly isn’t alone in being targeted by this scam, Wangiri is a common phenomenon and there are many examples of equivalent attacks in other countries now and in the past. Sometimes the fraudsters make unique modifications that are performed to improve the call back rate but in general the pattern is quite similar since those first attacks in Japan 15 years ago. In the short-term Irish mobile phone users will have to stay vigilant, and if in doubt when receiving a call, don’t answer.

To date, almost all of the conversations regarding security of mobile networks in the media have focused on the SS7 protocol. While this system is the backbone of mobile network, and handles roaming and control of mobile subscribers using it , it is gradually being (very slowly) supplanted by the Diameter protocol, which is used for control for LTE/4G networks and subscribers.

What's the Question

So far the conversation around Diameter has primarily revolved about attacks that are possible in theory – including some potential attack research to which we contributed to. While this is useful, and does show that Diameter networks are indeed vulnerable, just being vulnerable is not enough to know the extent of the real danger. Within security, to truly assess the risk of an event, we need to take into account whether a threat actually exists, and that is done by various forms of the following formula:

• Vulnerability x Cost x Threat = Risk

So while the Vulnerability of a Diameter network is clear from the preceding research, and the Cost (of an attack) is easy to determine - ranging from information loss up to communication interception location tracking all the way up to the Denial of service of a mobile network - the actual real Threat so far is not known. That is because up until today no information has been released on Diameter attacks seen “in the wild”. That’s what we are going to change.

Visualisation of International Diameter traffic over multiple 4G Networks

Late last year we analysed sample traffic from over half a dozen Carriers’ international Diameter traffic around the same time span. This involved traffic to / from 80+ countries in all 5 continents, although the majority of traffic was from the Americas & Europe.  Within this traffic we searched for traffic based on specific types of suspicious activity, which are classed by the GSM Association into different types, and found that around 3% of traffic exhibited anomalies based on these types. Interestingly this percentage is actually quite high compared to SS7 , however while these categories and percentages are useful as a benchmark, they are misleading as they don’t tell you anything about whether the traffic is actually malicious or not, which is critical in understanding the real threat.

After subsequent investigation, we believe the vast majority of the above to be either misconfigured network elements, mistakes in setup, or random spurious events - not malicious events. But of the above we did find a small amount of suspicious/malicious activity over Diameter, which did answer what we wanted to know, was Diameter being exploited? to which the answer seems to be yes. What was surprising was its complexity and level of advancement, and strangely, how few malicious cases there were compared to SS7 (more on this later).

A Random Walk

In one particular suspicious/malicious case, we observed very sophisticated attempts to potentially test the Diameter defences in place in one operator. Over a period of roughly one hour a customer network received incoming Authentication-Information-Requests (AIR) and Update-Location-Request Diameter packets from multiple sources, all concerning the same mobile phone subscriber. ULR packets are used to change the designated location of a subscriber, while AIR packets normally precede ULR and is part of the procedure of authenticating a subscriber when it roams to a new network.

Suspicious Activity Timeline/Location Map

The sequence of events is shown in the map above, with the times in hours:minutes:seconds. The algorithms built into our Diameter Network Protection Platform detected that not only was the subscriber moving at implausible speeds – AIR and ULR packets were begin received from new countries faster than a subscriber could reasonably be expected to be present, we also saw that authentication and update locations requests were out of sequence and came from different countries. For example, at time +0:54:29, an AIR was received from Greece for the subscriber, indicating the subscriber was trying to authenticate to a Greek mobile network, but just over 5 minutes later at +1:00:38, an ULR packet was received from Germany – indicating the subscriber was attempting to register its location in Germany. Other similar implausible transitons and AIR<>ULR deviations could also be seen at other times.

One of the reasons an attacker would attempt to do this - change the designated location of a subscriber to a fake location - would normally be so they can intercept subsequent communications to a subscriber. This is the attack method that was executed by a criminal group against German banking customers over SS7 in early 2017. However in this case we did not see this (SMS interception) attempted, instead its probable that this activity was designed to simply see was our customer network vulnerable to complex attacks over Diameter, and that the source countries were very likely spoofed.

Where are the Attacks?

So what does all of this mean? Well this type of attack (spoofing the location of a subscriber) is quite complex and difficult to execute, but it is very powerful as it allows the attacker to then perform several different types of attacks. This behaviour was one of many suspicious/malicious activities that we saw on Diameter networks, and the overall conclusion we took from that is that we proved that attacks over Diameter do happen. But one other thing we also observed is that the rates of strongly suspicious/malicious activity that we see seems to be much lower in Diameter than in SS7.   

The question then asked would be why. The strong, and we believe main reason, is because of usefulness of the Diameter network to conduct signalling attacks, compared to SS7. Simply put, Diameter is still far less used than SS7. To demonstrate this, for one of our Mobile Operator customer, we examined a representative sample of their SS7 and Diameter traffic (around 10 minutes in the busiest time of the day) and we found that in this period their SS7 Traffic came from over 200 countries, but over Diameter it was less than 100 countries.

Source SS7 Country Activity in Time Period                                 Source Diameter Country Activity in Time Period

But even this hides the number of active nodes on these networks - in this time period the number of unique endpoints over SS7 was 16 times more than Diameter. So logically it makes logical sense that an attacker is more likely to use SS7, because the range of targets they can attack is wider, i.e. every country in the world.

A less important reason as to why we don’t see as many attacks over Diameter is access. It is probably harder for an attacker to get access to Diameter, as the number of countries using it is lower, and more importantly there is not yet a multitude of smaller MVNOs, and other legacy companies connected to the Diameter network, unlike in SS7 which has built up far more entities connected to it than was every envisaged, rendering its trusted network model obsolete.  

Summing Up

All being said this should not be seen as an indication though that Diameter is safer, because inevitably as SS7 Security improves, and Diameter use widens and eventually starts to replace SS7, we expect malicious misuse of Diameter networks to increase. Right now attackers seem primarily to be testing what can be done over Diameter networks, and how operators are vulnerable, with the bulk of exploitation of signalling networks remaining over the SS7 network. That won't stay like that forever, and with the eventual greater uptake and access to the Diameter network that will occur, we can expect the bulk of the attacks to start to transition over to the Diameter network over time. In order for Mobile Operators to answer the question of Network Security, they will have to make sure that they are prepared to identify and block attacks over the Diameter network. 

Introduction

Cryptocurrencies have become been a favourite monetary tool of cyber criminals, as their lack of centralised authority or control provides a level of anonymity not available with other means of currency exchange. One of the first practical transactional uses for cryptocurrencies was popularised on illegal darknet black markets, such as the now infamous Silk Road. However, in recent years the use of cryptocurrencies (in particular Bitcoin) as method of exchange on darknet markets has declined considerably; the use of Bitcoin in such transactions has decreased from 30% in 2012 to a mere 1% in 2017.  The increasing popularity of cryptocurrencies as a speculative investment has led to an increase in cryptocurrency-based cybercrimes. The much-publicised thefts of Japanese based exchanges Coincheck and MtGox prove that cryptocurrency theft can be highly lucrative.  The value of these types of scams and hacks are on the rise – a near 30% increase since 2013. Here at AdaptiveMobile Security, we began to observe an increase in cryptocurrency scams specifically targeting mobile subscribers across multiple operators almost concurrently with the cryptocurrency price increases witnessed at the end of 2017 and beginning of 2018. In this blog, we analyse two scams aimed at two separate cryptocurrency web-based eWallets – Coinbase and Luno. Both scams were phishing campaigns designed to gain access to users’ accounts of both sites. The Coinbase campaign was based in North America and is one of the most sophisticated phishing campaigns with which we have ever dealt. The Luno campaign was based in Africa and is more of a traditional phishing campaign. Each campaign is addressed individually below.

Coinbase

A few months ago, we began to see a campaign targeting thousands of subscribers in North America on an almost weekly basis. The SMS received by the subscriber contained a malicious URL to the phishing page as illustrated in the screenshot below. All the campaigns originated from multiple IPs distributed among ISPs across the United States – probably as part of a spam botnet.  The actual phishing pages are hosted on IPs located in the US or the Netherlands. The email addresses used to send the spam are likely spoofed or randomly generated. The message states that the recipient has received a Bitcoin or Litecoin transaction with a large amount - as seen in the screenshot below (at the time of writing 63 BTC is roughly worth $41,000) - with a link to confirm the transaction.  The graph below shows the volumes associated with this campaign broken down by week since the beginning of April 2018.

Figure 1: Coinbase Phishing Weekly Volumes

What makes this campaign unusually sophisticated is that it is entirely automated and takes place in real time. In a standard phishing campaign, the phishing page merely stores the login credentials of the victim to then be used by the malicious actor at a future time. However, as security measures associated with site access have increased, simply knowing the login credentials of a user won’t always grant access – many sites now have some form of multi-factor authentication in place. Coinbase relies on such authentication methods - so in order to gain access to a Coinbase account one needs not only the username/password but also two-factor authentication (2FA) codes; and, in some cases, email confirmation. In these Coinbase phishing campaigns the victims’ accounts are remotely accessed in real-time. If any additional information - such as 2FA - is required for access this would be requested from the victim and then passed to a remote session initialised automatically by the malicious actors in order to siphon Bitcoin or Litecoin from the account. This is analysed in more detail in the section below – we look at one of these Coinbase phishing sites (http://coinbase.cpro-tx.com) in order to better understand how these campaigns actually worked.

Figure 2: Example of Coinbase phishing SMS

First, we were are able to access some publicly accessible directories/files (log files and names to php scripts/libraries - example shown in Figure 3) on the phishing server. With this information and by reviewing some of the site JavaScript we gained a rudimentary understanding of how the attack was being implemented.

Figure 3: One of the directories on the phishing server

When the recipient of the message follows the URL, they are presented with a near identical copy of the Coinbase login page as shown below in Figure 4. Once the user enters their email and password and clicks the SIGNIN button, the attack begins. As shown in the JavaScript below (Figure 5), it will first check whether the username and password are valid. If these conditions are met it will then submit the email address and password to the server as a form using AJAX. If Coinbase validates the login credentials, then the user is presented with Step 2 of the sign-in process (http://coinbase.cpro-tx.com/signin_step_two/) (Figure 6) where they will be prompted to enter the 2FA code from the authenticator app.; When tested by AdaptiveMobile Security with a real user account we received an SMS almost immediately from Coinbase with a 2FA code

Without the actual php code, we need to make assumptions as to how the attack is being implemented. There are some clues in the publicly accessible directories / files we found e.g., the use of this Curl wrapper library available (on GitHub.) This library is designed to make it easy to send HTTP requests and to integrate with web APIs. In fact the library’s documentation provides an example of how to use it to retrieve your Coinbase account balance. Using this the attacker starts a session with Coinbase.com as would a normal user; they then proceed to pass the POST data (e.g. email and password) to the Coinbase site successfully bypassing each section of the user verification process with information obtained from the user. All of this is automated without any manual input from the attacker.

Figure 4: Coinbase phishing landing page

Figure 5: Javascript - Step One  - Signin with Email/Password

Figure 6: 2FA phishing page

Getting past the 2FA section is not always enough. Coinbase associates each user account with the IP (s) that are normally used by the account for logging in. If it detects a login attempt from a different IP, it will send an email to the user’s email address so that they can confirm their identity (Figure 7). The attacker doesn’t have access to the user’s email account so instead they brazenly request that user to paste the URL confirmation link to the phishing page.  

Figure 7: Email confirmation from Coinbase

Figure 8: Attackers request user to paste the email confirmation link on to page

It also appears that the attacker may be using some form of SOCKS proxy server. This is essentially a host where traffic is routed between a client and server. This proxy server allows the attacker the anonymise requests to Coinbase.com hiding their true IP address. If the attackers didn’t do this, multiple requests from a single IP or even a collection of IPs would probably arouse suspicion.

Once past all the verification sections, they have control of the user's account and can transfer the cryptocurrency to an address belonging to them. In one example, there was one directory with three text files - composer, errors and success (Figure 9). The composer file logged every attempted login to the phishing page – it contained details such as email, password, (User) IP address, SOCKS proxy IP and web browser user agent. The errors file logged the sessions which were unsuccessful. Finally, the success file listed successful transfers from the user’s account to the attacker’s account. In examining the success files, we found entries ranging from 0.00250000 (BTC) to 0.00660000 BTC. A record of these transactions is traceable online on the blockchain website. Given the volume and frequency of these campaigns attackers are likely to be collecting substantial amounts from these phishing scams.

Figure 9: Data directory

Figure 10: Log of Bitcoin transaction sent to attacker's address from a user's account

In the Figure 10, you can see a record of one of these transactions. The attackers seem to be using multiple addresses to distribute the stolen cryptocurrency. It is most likely that from here they launder the stolen cryptocurrency in some way. There are many ways of doing this such as exchanging it for fiat currency via an exchange. By doing this, the attackers obfuscate the true origin of the funds which makes it difficult to track on the public blockchain.

Luno

A second cryptocurrency-based phishing campaign that we have analysed involved the eWallet, Luno. These campaigns are targeting mobile subscribers in Africa – on one customer’s network attackers are sending on average ~ 40,000 messages daily for the last few months. These are far less sophisticated than the Coinbase campaigns, merely phishing for login credentials rather than attempting an attack in real-time. Basically, the attacker will log the access details of the user (to be used another time) usually by storing the details on the server or emailing the details to themselves.  As with the Coinbase campaign we were able to access some directories/files on one of the Luno phishing servers. It appears these attackers make use of predesigned phishing kits which they likely acquired from a third party. One of the sites we analysed was also hosting a phishing campaign targeting South African bank, Absa.

Figure 11: Luno phishing landing page

The php file was taken from one of the Luno phishing sites we analysed – it shows how they take the data from the forms that the user fills in then sends the data to the attacker’s email address. The user’s IP address, email/password and the date/time are sent using the mail () function in php. The designer of the phishing kit has also added their signature (“Created BY XaMaNi”) - something which is quite common in phishing kits. Other php files on the server were designed to return error HTTP/1.0 404 Not Found if the visiting IP belonged to bots like web crawlers which were provided in lists of IPs and Keywords (‘bingbot’, ‘googlebot’ etc.)  – most likely to stop the site being flagged as a phishing page and blacklisted.

Figure 12: Luno phishing php file to email user's details to the attacker

Conclusion

As cryptocurrencies become more popular amongst the general public, the use of cryptocurrency-based scams by cybercriminals will to continue to rise. However, researchers have demonstrated that it is possible to trace stolen Bitcoin and create a taintchain where good coin can be distinguished from bad coin. In the future, there may be some recourse to the victims of stolen cryptocurrencies.

Owners of cryptocurrency need to be vigilant of such scams and wary of any unsolicited enquiries regarding it. As our analysis shows, 2FA is still not insusceptible to social engineering ploys. However, that said, 2FA is still a relatively secure way of securing online accounts and newer 2FA methods could be considered, such as Universal 2nd Factor (U2F) - a physical key such as a USB or NFC device used for authentication. Google has reported that since the adoption of physical security keys, they haven’t had single case of account takeover of any their employees.

We’ve just finished up an exciting and engaging few days in Nairobi at the recent Risk and Assurance Group (RAG) meeting. The focus of this particular meeting was to take a deeper look at emerging security concerns for operators and review the priorities for fraud prevention in Africa and we spent a great deal of time discussing the latest cybersecurity challenges for operators.

A shot of the audience at RAG Nairobi, September 11^th – 12^th 2018

We were in excellent company with leaders from Vodafone Group, Vodacom, MTN Group and Safaricom – our hosts – discussing international trends in fraud and risk and how the industry can come together to better protect mobile subscribers.

One of the key points being made consistently throughout the 2 conference days was that more sharing needs to be done within the operator community, and indeed also amongst the vendors.

We know that core infrastructures are not inherently secured by current standards and we know that additional provisions need to be made. But a recurring theme was that compliance issues also need to be considered as more and more things are being connected and digitised. These new technologies, while promising, also come with their own set of challenges that operators need to be prepared to deal with – but where are we if our core infrastructures are not adequately secured?

Karel van der Lecq (AdaptiveMobile Security – center-left) and Faaez Burney (AdaptiveMobile Security (center-right)) discussing emerging cybersecurity challenges with Eric Priezkalns (RAG Chief Executive Officer – left) and Luke Taylor (Founder of Risk Reward Awards – right).

All businesses are now in one way or the other linked to technology and internet audit and risk functions are all the more important as risks associated with 3rd party functions operating on your platform can also result in damages. It’s now more important than ever to ensure we work together to protect mobile subscribers now, and in the future.

Karel van der Lecq (left) and Faaez Burney (right). AdaptiveMobile Security’s Africa Sales Team at the RAG Conference in Nairobi.

The RAG group has held regular meetings since 2004, and is the world’s longest running business assurance group. Its focus is on telecoms, covering the most pressing concerns of risk management, revenue assurance, fraud management and security for global operators. For more information on RAG, please visit their website: https://riskandassurancegroup.org/.

###

AdaptiveMobile Security’s CEO, Brian Collins, takes a deeper look at how the new EU regulation could hinder national security initiatives

With the much heralded arrival/imposition of the General Data Protection Regulation aka GDPR on the 25^th of May 2018 now past, it is time, especially as a security company that reviews data for threats to subscribers, to discuss whether this much vaunted legislation is actually being effective in protecting people’s data rights or simply spreading a landscape of fear that is hindering the valuable uses of data that support national initiatives in the defeat of terrorism, fraud and criminal activity.

GDPR was created some years back with the noble aspiration of harmonising data protection laws across all EU member states. It requires that personal data be processed lawfully, fairly and in a transparent manner in relation to individuals and details a specific set of criteria surrounding the collection and storage of such data. Those outside the EU complain it is a “get back” against the US internet giants like Google and Facebook while further highlighting Europe’s failure to present an internet giant of its own – that conversation, however is for another forum.

Data hygiene is one thing, but data hysteria an entirely different matter!

For those unfamiliar with the workings of EU law, regulations are adopted by the EU Institutions and have binding legal force throughout every Member State, with no national laws being required to implement them. Directives, meanwhile are adopted by the EU Institutions and lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.

Now that the avalanche of emails has more or less ceased from just about every company you ever committed an email address to, we believe it is time to see if by accident or design, GDPR has changed people’s habits in how they use their personal details now that they know there is obligation upon the data recipient, (“processor? controller?”) to handle their data in line with this legislation. We ask the question: is a by-product of this data seed change possibly depriving the security agencies   the key resource (data) required to protect their citizens and its national critical infrastructure.

It is undoubtedly early days, but as a company that processes over 40 billion security events a day our view is a resounding yes! One of the key tenets of GDPR relates to encryption and the regulation has certainly made data users a lot savvier and more educated regarding how encryption works and its specific uses. Whereas in a lot of cases law enforcement and security agencies have significant tools to decrypt certain types of encrypted traffic this is a slow and laborious process requiring keys and continuous updates. Within our day to day security processing, we have seen 1.4% increase in the level of encrypted traffic in recent months.

This article does not harbour the ambition to be the forum to debate the pros and cons of encrypting traffic. We all use encryption on near daily basis, online banking, online commerce, Whatsapp, etc. The traditional argument provided by the misinformed is that weakening encryption for one specific purpose weakens it for all, is not valid when it comes to matters relating to national security. The fact that everyone uses encryption should not detract from the fact that the bad guys abuse it and hence makes the entire reason for encrypting unsafe.

Finding workable and fair solutions regarding encryption has been the focus of the intelligence committee known as the Five Eyes i.e. US, Australia, New Zealand, Canada and Britain. Following a recent meeting in 2017, a press release was issued stating the committee view that encryption can “severely undermine public safety efforts and committed members to working together to find common ground to” explore shared solutions.” Such statements put the fundamental tenet of GDPR to shame in that, attempting a “one size fits all” approach to the ever evolving and mindboggling   issue of the value of data access, data security must be solved by a multi-agency approach as opposed to the somewhat contaminated and biased view of some European Governments who ultimately have failed to foster the environment that would allow a European Google prosper.

It is undoubtedly early days for GDPR, but as a security company headquartered in Europe and involved every day in the battle against abusers of data (criminals, cynical nation states and fraudsters) it is worth placing under serious consideration: that GDPR as it stands is a cause for concern for national security and critical infrastructure security both today and in the future.

The irony is not lost that in its current format, GDPR could lead to reduced security and increased privacy risks, which would seem to be the opposite of what it was created to achieve in the first place.

###

One of the good things about working in the area of core network security, is the opportunity to find new and unexpected types of attacks. These are attacks you didn’t even know could happen, much less have a chance to prevent. Finding these unexpected attacks doesn’t just happen though, it requires experience and investigation, but most importantly it needs the mindset to dig deeper into any strange events that are encountered, and try to understand them, rather than just assuming they are random malicious events.

In this particular case, we are discussing IMSI Catchers. First off, the term IMSI catcher is a misused and sometimes contradictory term however. As explained here, there are actually 2 types of equipment that those in the public (and many in the industry) would conflate into what they would call IMSI catchers.

• ‘Active’ IMSI Catchers, also termed Cell Site Simulators (CSS) or Fake Base Stations – these attempt to force local devices to connect to a Call Site Simulator, in order to decrypt the conversation and texts, and to execute man in the middle interception. These would be considered the more ‘traditional’ type of IMSI catchers most would be aware of. Stingrays are also a common term used for these (named after the brand built by Harris Corporation). A good overview of how the Active IMSI /Cell Site Simulators work is here.
• Passive IMSI Catchers – these passively listen into the paging of mobile devices as they move and register to new real Cell towers in the local area, in order to get the IMSI numbers of these devices. They are far less precise, and are unable to do any of the more sophisticated type of interception, but involve no interaction between the mobile device and the IMSI Catcher. An overview of how these could work, and how they function is here.

The primary difference between these two is that the more traditional Active IMSI Catcher/CSSs always involves some form of interaction with the mobile device, whereas the Passive IMSI Catcher doesn’t - it literally just listens in to the paging that occurs in the local areas as the mobile device changes between legitimate cell towers in the vicinity. This makes a big difference when it comes to detection of these IMSI Catcher types.

A lot of research has gone into various ways of detecting Active IMSI Catchers, by looking at how they differ from real Cell towers. One distinctive example of what an Active IMSI Catcher might do is the forced downgrading of their target mobile device to use a less secure radio interface. This detection of an Active IMSI Catchers can be difficult, involves a lot of local measurements and often can and has in the past led to false positives, but it gives some results. From the attacker’s perspective it’s also a trade-off in that they must make the effort to physically deploy an Active IMSI Catchers in a sensitive area, and then hope its radio activity doesn’t give it away. This is often why more sophisticated attackers may often resort to using attacks over signalling interfaces such as SS7 and Diameter to achieve their aims, which can be sent from any part of the world. 

A Passive IMSI Catcher changes things somewhat. It still involves physical deployment of a system to listen in the local targeted area, but it is essentially undetectable on the radio interface, as it emits nothing that would allow it to be detected. This makes it very valuable to perform long-term surveillance in sensitive areas, when the goal is to have the least chance of being detected, while still trying to determine the IMSIs of who is in the local area.

The issue with both types of IMSI Catchers, from the attacker's perspective, is that what they are left with are a collection of IMSIs from around the world. While this information may be useful, often you need more information to profile who has been ‘caught’. For Active IMSI Catcher deployments; the attackers may also intercept calls/text messages etc, so have a better idea of the target, but for passive IMSI catchers they won’t have that. What the attackers really need is the co-corresponding phone number – the MSISDN of the mobile device associated with the IMSI - in order to truly figure out the identities of the mobile device their IMSI catcher has caught.

This is where our analysis and investigation has come in. Over time, we have been seeing patterns of unusual requests over the SS7 interface, for particular IMSIs. Specifically, what we have been seeing is our Signalling Firewalls, deployed at multiple customer mobile operators, receiving suspicious MAP_RESTORE_DATA packets for IMSIs from unexpected sources. A MAP_RESTORE_DATA packet is a particular command that requests that the home operator sends details for a particular IMSI to the roamed-to network. Details in this case includes MSISDN (the actual phone number), call forwarding setting and other specific information. Further investigation showed that we always received this command when these IMSIs were near or attached to specific Cell Sites while roaming in a 3^rd country and nowhere else. 

Our working theory, is that what we are observing is what we now call “IMSI Profilers”. These IMSI Profilers work in conjunction with IMSI Catchers - they take the list of IMSIs that have been detected and request profile information, in order to feed these phone numbers back to the IMSI catcher operator. The sequence of events that we believe to happen is shown above.  From log analysis it also seems likely (but can’t be confirmed 100%) that the IMSI Catcher in the 3^rd country is of the passive variety. In this particular case, the IMSI Profiler is using a source SS7 address (called a SCCP Global Title or GT) in a small European mobile operator that we have detected previously in our SIGIL/Signalling Intelligence system to be used by multiple surveillance companies, further confirming our suspicion that it is malicious.

Regardless of the IMSI catcher type used, this method of analysing incoming suspicious signalling activity gives the opportunity for mobile operators to partially protect their subscribers against IMSI Catchers around the world, something they didn’t have in the past. It won’t stop an Active IMSI Catcher from forcing a subscriber to connect to them, but it would stop additional information being retrieved. And in the case of passive IMSI catcher it is potentially one of the only ways to detect these remotely and block any more useful information being obtained.

In the long term, improvements in the new 5G radio and core network standards means that mobile operators should be able to greatly improve the ability to block IMSI Catchers over 5G. If these are implemented correctly and no loopholes are introduced then effective 5G IMSI Catchers may never arise. In the interim however, IMSI Catchers – both Passive and Active - are being used globally in the world to track and record individuals without their consent. By analysing incoming signalling traffic, and detecting and blocking these IMSI Profilers, mobile operators now have the opportunity to help protect their subscribers globally, regardless of how stealthy the IMSI Catcher is.

Today we are announcing the existence of the vulnerability and associated exploits that we call Simjacker.  We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance. Other than the impact on its victims, from our analysis, Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. It represents a considerable escalation in the skillset and abilities of attackers seeking to exploit mobile networks.   

We will be giving technical details on Simjacker during the Virus Bulletin Conference, London, 3rd October 2019 but in this blog we will give an overview of Simjacker, how it works and who is potentially exploiting it, as well as why it is such a significant new type of attack.

How it Works

At its simplest, the main Simjacker attack involves a SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the UICC (SIM Card) within the phone to ‘take over’ the mobile phone , in order to retrieve and perform sensitive commands.

The attack begins when a SMS - that we term the Simjacker ‘Attack Message’ - is sent to the targeted handset. This Simjacker Attack Message, sent from another handset, a GSM Modem or a SMS sending account connected to an A2P account, contains a series of SIM Toolkit (STK) instructions, and is specifically crafted to be passed on to the UICC/eUICC (SIM Card) within the device. In order for these instructions to work, the attack exploits the presence of a particular piece of software, called the S@T Browser - that is on the UICC.  Once the Simjacker Attack Message is received by the UICC, it uses the S@T Browser library as an execution environment on the UICC, where it can trigger logic on the handset. For the main attack observed, the Simjacker code running on the UICC requests location and specific device information (the IMEI) from the handset. Once this information is retrieved, the Simjacker code running on the UICC then collates it and sends the combined information to a recipient number via another SMS (we call this the ‘Data Message’), again by triggering logic on the handset. This Data Message is the method by which the location and IMEI information can be exfiltrated to a remote phone controlled by the attacker.

During the attack, the user is completely unaware that they received the SMS with the Simjacker Attack message, that information was retrieved, and that it was sent outwards in the Data Message SMS - there is no indication in any SMS inbox or outbox. 

What makes this Attack work and why is it Special?

The attack relies both on these specific SMS messages being allowed, and the S@T Browser software being present on the UICC in the targeted phone. Specific SMS messages targeting UICC cards have been demonstrated before on how they could be exploited for malicious purposes. The Simjacker attack takes a different approach, and greatly simplifies and expands the attack by relying on the S@T Browser software as an execution environment. The S@T (pronounced sat) Browser – or SIMalliance Toolbox Browser  to give it its full name – is an application specified by the SIMalliance, and can be installed on a variety of UICC (SIM cards), including eSIMs. This S@T Browser software is not well known, is quite old, and its initial purpose was to enable services such as getting your account balance through the SIM card. Globally, its function has been mostly superseded by other technologies, and its specification has not been updated since 2009, however, like many legacy technologies it is still been used while remaining in the background. In this case we have observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people, so a sizable amount of people are potentially affected. It is also highly likely that additional countries have mobile operators that continue to use the technology on specific SIM cards.

This attack is also unique, in that the Simjacker Attack Message could logically be classified as carrying a complete malware payload, specifically spyware. This is because it contains a list of instructions that the SIM card is to execute. As software is essentially a list of instructions, and malware is ‘bad’ software, then this could make the Simjacker exploit the first real-life case of malware (specificially spyware) sent within a SMS. Previous malware sent by SMS - such as the incidents we profiled here - have involved sending links to malware, not the malware itself within a complete message.

Beyond Location

However, the novelty and potential of Simjacker does not stop there. Retrieving a person’s location is one thing, but by using the same technique, and by modifying the attack message, the attacker could instruct the UICC to execute a range of other attacks. This is because using the same method the attacker has access to the complete STK command set, some examples of these STK commands are:

• PLAY TONE
• SEND SHORT MESSAGE
• SET UP CALL
• SEND USSD
• SEND SS
• PROVIDE LOCAL INFORMATION
  • Location Information, IMEI, Battery, Network, Language, etc
• POWER OFF CARD
• RUN AT COMMAND
• SEND DTMF COMMAND
• LAUNCH BROWSER
• OPEN CHANNEL
  • CS BEARER, DATA SERVICE BEARER, LOCAL BEARER, UICC SERVER MODE, etc
• SEND DATA
• GET SERVICE INFORMATION
• SUBMIT MULTIMEDIA MESSAGE
• GEOGRAPHICAL LOCATION REQUEST

By using these commands in our own tests, we were able to make targeted handsets open up web browsers, ring other phones, send text messages and so on. These attacks could be used to fulfil such purposes as

• Mis-information (e.g. by sending SMS/MMS messages with attacker controlled content)
• Fraud (e.g. by dialling premium rate numbers),
• Espionage (as well as the location retrieving attack an attacked device it could function as a listening device, by ringing a number),
• Malware spreading (by forcing a browser to open a web page with malware located on it)
• Denial of service (e.g by disabling the SIM card)
• Information retrieval (retrieve other information like language, radio type, battery level etc.)

It even may be possible to go even further - depending on handset type - which we will discuss in our VB2019 presentation. Worryingly, we are not the only people to think of these additional attacks, over the last few weeks and months we have observed the attackers themselves experiment with these different capabilities.

Finally, another benefit of Simjacker from the attacker’s perspective is that many of its attacks seems to work independent of handset types, as the vulnerability is dependent on the software on the UICC and not the device. We have observed devices from nearly every manufacturer being successfully targeted to retrieve location: Apple, ZTE, Motorola, Samsung, Google, Huawei, and even IoT devices with SIM cards. One important note is that for some specific attacks handset types do matter. Some, such as setting up a call, require user interaction to confirm, but this is not guaranteed and older phones or devices with no keypad or screens (such as IoT device) may not even ask for this.

Who is Doing this

The next question then is who is exploiting this, and why? We are quite confident that this exploit has been developed by a specific private company that works with governments to monitor individuals. As well as producing this spyware, this same company also have extensive access to the SS7 and Diameter core network, as we have seen some of the same Simjacker victims being targeted using attacks over the SS7 network as well, with SS7 attack methods being used as a fall-back method when Simjacker attacks do not succeed. So far, we have seen phone numbers from several countries being targeted by these attacks and we are very certain that individuals in other countries have also been targeted via Simjacker attacks. Using our collection of Signalling Intelligence (SIGIL) we were able to correlate this Simjacker-related SS7 activity with a group we have already detected attempting to attack targets via SS7 means around the world.

In one country we are seeing roughly 100-150 specific individual phone numbers being targeted per day via Simjacker attacks, although we have witnessed bursts of up to 300 phone numbers attempting to be tracked in a day, the distribution of tracking attempts varies. A few phone numbers, presumably high-value, were attempted to be tracked several hundred times over a 7-day period, but most had much smaller volumes. A similar pattern was seen looking at per-day activity, many phone numbers were targeted repeatedly over several days, weeks or months at a time, while others were targeted as a once-off attack. These patterns and the number of tracking indicates it is not a mass surveillance operation, but one designed to track a large number of individuals for a variety of purposes, with targets and priorities shifting over time. The ‘first use’ of the Simjacker method makes sense from this viewpoint, as doing this kind of large volume tracking using SS7 or Diameter methods can potentially expose these sources to detection, so it makes more sense to preserve those methods for escalations or when difficulties are encountered.

Blocking the Attacks and Thinking Long-term

In order to deal with this vulnerability, we and the mobile industry have been taking a number of steps.

1. We have been working with our own mobile operator customers to block these attacks, and we are grateful to their assistance in helping detect this activity.
2. We also communicated to the GSM Association – the trade body representing the mobile operator community - the existence of this vulnerability. This vulnerability has been managed through the GSMA CVD program, allowing information to be shared throughout the mobile community.
3. As part of this, information was also shared to the SIM alliance, a trade body representing the main SIM Card/UICC manufacturers and they have made new security recommendations for the S@T Browser technology.

In general, our recommendations for the mobile community to deal with the immediate threat is for mobile operators to analyse and block suspicious messages that contain S@T Browser commands. Mobile Operators could also try to change the security settings of UICCs in the field remotely, or even uninstall and stop using the S@T Browser technology completely, but this may be slower and considerably more difficult to do. However, this is very much only a first step, due to the greater implications of the Simjacker attacks.

The existence of Simjacker at all means that we need to radically alter our mindset when it comes to the security of mobile core networks. We believe that the Simjacker attack evolved as a direct replacement for the abilities that were lost to mobile network attackers when operators started to secure their SS7 and Diameter infrastructure. But whereas successful SS7 attacks required specific SS7 knowledge (and access), the Simjacker Attack Message require a much broader range of specific SMS , SIM Card, Handset, Sim Toolkit , S@T Browser and SS7 knowledge to craft. This investment has clearly paid off for the attackers, as they ended up with a method to control any mobile phone in a certain country, all with only a $10 GSM Modem and a target phone number. In short, the advent of Simjacker means that attackers of mobile operators have invested heavily in new attack techniques, and this new investment and skillset means we should expect more of these kinds of complex attacks.

As a consequence, this means that we, in the mobile security community also need to improve our capabilities. For mobile operators, this also means that relying on existing recommendations will not be sufficient to protect themselves, as attackers like these will always evolve to try to evade what is put in place. Instead mobile operators will need to constantly investigate suspicious and malicious activity to discover ‘hidden’ attacks. We can and should expect other vulnerabilities and attacks that also evade existing defences to be discovered and abused. As the attackers have expanded their abilities beyond simply exploiting unsecured networks, to now cover a very complex mix of protocols, execution environments and technologies to launch attacks with, Operators will also need to increase their own abilities and investment in detecting and blocking these attacks.

The Future

We are only scratching the surface of Simjacker in this article. In our presentation at Virus Bulletin Conference, London, on the 3rd of October 2019 we will give more details on the format of the attacks, what the attackers do to attempt to evade detection and how they operate their system, along with a flavour of what has been their reaction since their attacks have been detected and blocked. We will also give our view on what we believe these attacks will evolve into next. We expect a reaction from this news being made public and we will present on what (if any) the public revelations have on their malicious activity.

The Simjacker exploit represent a huge, nearly Stuxnet-like, leap in complexity from previous SMS or SS7/Diameter attacks, and show us that the range and possibility of attacks on core networks are more complex than we could have imagined in the past. Now is the time to make sure that we stay ahead of these attacks in the future.

Last week – on the 3rd of October - we presented on our research into Simjacker at VB2019. Also that day, we issued a technical paper on simajcker, which is freely available on www.simjacker.com. This paper contains all the technical details about Simjacker, i.e. the Simjacker vulnerability, how it is being exploited, how the attackers have varied their attacks, as well as related attacks and technologies. As we have received a lot of questions over the last few weeks regarding Simjacker, we have also created this blog that answers the most frequently asked questions that have arisen on Simjacker recently. Further details on each of these points, and additional information, are available in the report.

1) What is the purpose of the attacks/ How is the attack executed

The primary purpose of the attackers is to retrieve Location information (serving Cell ID) and device information from targeted mobile phone users. An example of one of these attacks is below. Very occasionally other functionality like displaying text, opening up a web page or various forms of testing are executed by the attackers, an example of the browser being opened is also below. The attack is normally done by sending a specific kind of SMS to the targeted mobile subscriber. The contents of this SMS, which are a set of instructions, are then executed by the SIM Card within the subscriber's mobile handset. In this case the SIM Card runs the instructions by retrieving the location and type of the mobile handset, from the handset, and sending another SMS back to the attacker, which contains the retrieved information, all without any indication to the user.

For more information - Simjacker Technical Report: Section 3 & Section 4 (report)

Example of Location (Cell-ID retrieval) , victim handset is currently roaming in Ireland (MCC=272) and on Irish Mobile Operator (MNC=01 VF Ireland). Note: VF Ireland are the roamed-to operator for the vulnerable SIM, they are not the vulnerable operator. Note: ~5 second SMS transmission delay removed

Example of Browser(s) being opened automatically by sending instructions . 3 websites are instructed to be opened within a new browser window. Such a method could be used (in conjunction with a handset vulnerability if one was known) to download mobile malware onto a handset from an infected website. Note: ~5 second SMS transmission delay removed

2) Who is being targeted/Am I being targeted:

It is highly unlikely. As the report outlines, we have detected hundreds of mobile subscribers per day being targeted, but we have only detected the Simjacker vulnerability being exploited against subscribers from 3 countries – Mexico, Colombia and Peru so far. Also, the threat actor that we observed using this exploit, generally sells it to nation-state customer. The ‘average’ person is not likely to be targeted, and that like SS7, the main targets are probably those that are of interest to nation-state customers.

For more information - Simjacker Technical Report: Section 4 & Section 6 (report)

3) Is my phone vulnerable/Isn’t this an old, unused technology?

The attack targets SIM Cards which contain a technology called the S@T Browser. The S@T Browser technology is used in at least 61 mobile operators, in at least 29 countries. A map is available in our report (and below) of what countries we believe still use the technology. As we also specify in our report, the most probable, conservative estimate is that mid to high hundreds of millions of SIM Cards globally are affected. While the S@T Browser specification may not have been updated since 2009 until now, it is still widely deployed. The SIM Card technology itself is independent of handset type, i.e. Android, iPhone, IoT type devices are all vulnerable if their embedded SIM Card uses the technology

For more information - Simjacker Technical Report: Section 7 & Section 3 (report)

Countries where there are 1 or more Mobile Operators actively using S@T Browser on SIM Cards with no-security level set

4) How can I protect myself

Unfortunately, there is very little that a person can do to protect themselves. There are tools which you can download to determine whether your SIM card is vulnerable (with special equipment), or potentially tell if you are being targeted (but requires a rooted device), however these do not lead to protection in themselves. The only entities that can put in protection for targeted subscribers are the Mobile Operators. Their options are to change the security settings on the SIM Cards, and/or put special filtering in place to prevent the SMS exploiting the Simjacker vulnerability being received by targeted mobile subscribers. 

For more information - Simjacker Technical Report: Section 8 (report)

5) Why is the S@T Browser technology vulnerable?

The S@T Browser technology is vulnerable due to an apparent oversight in the S@T Browser specification. There are 4 different ‘protocols’ (commands) defined within the S@T Browser, and security levels recommended for them. However, the commands used in these attacks: Push messages, didn’t have any security level associated with them. This lack of a recommendation or specification, meant that no security was associated with these commands in practice, and that any source could send a S@T Browser messages, that would run on the SIM card with no authentication.

For more information - Simjacker Technical Report: Section 3 (report)

6) Was this vulnerability reported before?

Not to our knowledge. The Simjacker vulnerability AdaptiveMobile Security reported being used is in a specific SIM card technology called the S@T Browser. The way the S@T Browser is being exploited is via specific SMSs called SIM OTA SMS (although other ways of attacking the SIM are possible). Previous publicly revealed research has shown how these kind of SMS can be used to execute other unwanted functionality around SIM Cards - examples include triggering an automated response or obtaining a SIM DES key, and in fact the potential for misuse of SIM OTA SMS had been discussed within the industry even before these. However, the specific Simjacker vulnerability is the misuse of the S@T Browser environment, not the misuse of SIM OTA SMS.

The closest previously publicly reported research would have been specific exploits attributed to the NSA TAO team which also obtained location information, but these are stated as requiring OTA keys, and so are highly unlikely to have used the S@T Browser vulnerability. The fact that the vulnerability is being actively exploited has also not been reported before. 

For more information - Simjacker Technical Report: Section 3 & Appendix A (report)

7) What is being done to block these attacks

Within the GSMA Association, specific information from AdaptiveMobile and the GSMA has been distributed for some time on the vulnerability and the best ways to prevent and block these attacks. In addition, the SIMalliance made some updates to its S@T browser specifications to improve the security of these applications. Taken together these have the potential to greatly reduce the risk of the attacks being successful.

One important aspect highlighted in the report, is the sheer range of evasion techniques tried by these particular attackers. The attackers have been executing highly complex functionality that many mobile operators would not have considered when putting in place previous recommendations.  To defend against these attacks, Mobile Operators - to be safe - would need to be far more vigilant in their day to day security

For more information - Simjacker Technical Report: Section 8 & Section 4 (report)

8) How come you are only releasing the details now

A limited amount of public information was released initially on the 12th of September. However, in the background, technical details had been shared to the GSM Association as part of a Co-ordinated Vulnerability Disclosure (CVD) process since late June, for mobile operators to act upon. Mobile operators are essentially the only entities who can effectively stop these attacks which is why the focus was on sharing information with them and alerting them first in a responsible manner.

For more information - Simjacker Technical Report: Section 2 (report)

9) Who is the company you believe responsible?

Within the report we outline why we think it is a surveillance company that developed this exploit. However, we have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof. That proof would also reveal specific methods and information that would impact our ability to protect subscribers. Overall the actual identity of the exploit developer is not essential to know when planning how to defend against these types of exploits. We know that it has been used by an attacker who execute highly sophisticated and complex attacks, and so Mobile Operators should expect them to adapt quickly to any defences and try new techniques in the future.

For more information - Simjacker Technical Report: Section 6 (report)

10) What about other SIM Card technologies like WIB?

WIB is a propriety SIM card technology like S@T which reports show could also be exploited via ‘Simjacker-like’ attacks. However, it’s important to state that we haven’t seen any attacks involving WIB. The WIB technology itself seems less prevalent that the S@T Browser (see diagram below and section 7 of the report), and available publicly information doesn’t indicate that WIB has the same apparent oversight in recommended security level. However, this is an area of continued research, as well as whether there are any other vulnerable SIM card technologies, and if they can be exploited.

For more information - Simjacker Technical Report: Section 7 (report)

Count of Vulnerable Countries & Operators for S@T Browser and WIB