21
Simjacker
Technical Report ©2019 AdaptiveMobile Security We detected the subsequent Data Message being sent
via an alternative SMS Centre, to a dummy number. The use of an open SMSC’ other than the operators-specified one was accomplished by specifying a different SMS Centre to use in the payload of the original Attack Message. Specifically, this was executed as an additional Address parameter in the SEND SHORT MESSAGE Command. There are two potential reasons for the use of an alternative SMSC for exfiltration.
1) To avoid a network operator detecting
these Data Messages being sent, as this outbound traffic would not travel via their own SMSC
2) To avoid any billing records being
generated for the Data Message, if these are generated at the SMSC
5.1.3
Alternative SMS Attack Packet Encoding We observed extensive modifications and alternations of the format of the SMS Header in order to avoid blocking. All packet encoding fields at the SMS Transfer Layer (e.g. TP-DCS,
TP-PID, TP-UDH, TP-UD) and additional fields in the Command Header have been modified to varying degrees, as the attackers cycle through these values continuously. While not all subsequent combinations are actually useful – i.e. invalid combinations mean that the message is then not understood by the Handset as a SIM OTA message and so not routed to the SIM card – a number of nonstandard combinations do turnout to be routed to the SIM card.
In addition, there have been a number of other modifications to the SMS Attack Packet observed. These include
•
Multi-part concatenated SMS messages – the splitting of the Attack
Packet over multiple segments • The use of Reserved Values in the SMS Header
• The use of corrupted
parameters in the SMS Header • Omitting specified values in the SMS Header
• Other variations of the SMS Attack packet encoding.
22
Simjacker Technical Report
©2019 AdaptiveMobile Security
5.1.4
Share with your friends: