AdaptiveMobile Security Simjacker Technical Paper 01
Variable Management in the Simjacker Attack
Download 3.33 Mb. View original pdf
|
SIM-Swapping
| Variable Management in the Simjacker Attack Variables in the ST environment are where the respective pieces of information (SMS- SUBMIT Header, Location, IMEI, Filler etc) are stored prior to be sent externally. For the Simjacker attacks the Variables themselves are always stored as temporary variables - see Section 5.3 of [3] -this means they are cleared when • the ST browser goes to the idle state • the ST browser starts a card with ResetVar flag set in the card attribute • high priority push is received. The ST browser goes to the idle state (ST browser exits) after the last command of the card has been executed and no branching has been done. In observation, we see that the attackers are well aware of the need to keep the temporary variables cleared. In situations where they request Location information in quick succession (2 messages to the same target in less than a few seconds) they specify the 2 nd request as a High Priority Push, to ensure that there is no retention of the previous temporary values set in the st, Low Priority Push Message. In addition, to further ensure variables are not overwritten, the ResetVar flag is set in the Card value over >44% of the time. The ResetVar is used to reset (i.e. remove) all the temporary variables before executing the first command in the card. 12 Simjacker Technical Report ©2019 AdaptiveMobile Security 4 Simjacker Attacker Structure and Operating Procedure The attackers we detected using the Simjacker message vary their methods and use of the Simjacker vulnerability constantly. This is due to changing conditions, objectives and defences being put in place. This makes profiling what is the normal use of the vulnerability difficult. Nevertheless, we can show what is the typical activity in a time period, as a representative guide. In the below analysis, we have taken ab typical day continuous time period, from sometime within the last year. This period is a time where we actively engaged in detecting and blocking these attacks with our mobile customers. From retrospective analysis, it is also similar to other time periods when blocking was not occurring, so this day period is representative of the activity throughout the larger timespan. 4.1 Download 3.33 Mb. Share with your friends:
|