A team of security researchers has detailed a second SMS-based attack that can allow malicious actors to track users’ devices by abusing little-known apps that are running on SIM cards. See also 10 dangerous app vulnerabilities to watch out for (free PDF) This new attack, named WIBattack, is identical to Simjacker, an attack disclosed at the start of the month by mobile security firm AdaptiveMobile. Both attacks work in the same way, and they grant access to similar commands, with the exception that they target different apps running on the SIM cards. Mainly, Simjacker runs commands against the [email protected] Browser app, while WIBattack sends commands to the Wireless Internet Browser (WIB) app. Both are Java applets that mobile telcos install on SIM cards they provide to their customers. The purpose of these apps is to allow remote management for customer devices and their mobile subscriptions. WIBattack In a report released earlier this month, AdaptiveMobile said it discovered that a “private company that works with governments” was using rogue commands sent to [email protected] Browser apps running on SIM cards to track individuals. In a report published last weekend, security researchers from Ginno Security Labs said that the WIB app was also vulnerable to similar attacks, although they were not aware of any attacks. In the case of both [email protected] and WIB apps, attackers can send a specially formatted binary SMS (called an OTA SMS) that will execute STK (SIM Toolkit) instructions on SIM cards on which telcos did not enable special… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.