What's worrisome? A specific private company that works with governments is actively exploiting the SimJacker vulnerability from at least the last two years to conduct targeted surveillance on mobile phone users across several countries. "During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated," researchers explain. "The location information of thousands of devices was obtained over time without the knowledge or consent of the targeted mobile phone users. However the Simjacker attack can, and has been extended further to perform additional types of attacks." According to the researchers, all manufacturers and mobile phone models are vulnerable to the SimJacker attack as the vulnerability exploits a legacy technology embedded on SIM cards, whose specification has not been updated since 2009, potentially putting over a billion people at risk.
Researchers have responsibly disclosed details of this vulnerability to the GSM Association, the trade body representing the mobile operator community, as well as the SIM alliance that represents the main SIM Card/UICC manufacturers. Mobile operators can also immediately mitigate this threat by setting up a process to analyze and block suspicious messages that contain S@T Browser commands. As a potential victim, it appears, there is nothing much a mobile device user can do if they are using a SIM card with S@T Browser technology deployed on it, except requesting for a replacement of their SIM that has proprietary security mechanisms in place.