The attack works by exploiting a vulnerability in a
UICC/SIM card library called the
S@T Browser. A specially formatted binary
text message is sent to the victim handset, which contains a set of commands to be executed by the S@T Browser environment in the UICC. As the S@T Browser environment has access to a subset of SIM Toolkit commands, the attackers used this vulnerability to instruct the UICC to request
IMEI and
location information from the handset via
SIM Toolkit commands. Once this was obtained the UICC then instructs the handset to exfiltrate this information to the attackers within another text message. Other types of attacks are also possible using the S@T Browser, such as forcing a mobile device to open a webpage or to make a phone call. The attack differed from previously reported SIM card attacks as those required the SIM key to be obtained. The Simjacker attack does not require a SIM key, only that the SIM card has the S@T Browser library installed on it, and that the binary messages containing the S@T Browser commands can be sent to the victim. Simjacker was registered in the
Common Vulnerabilities and Exposures database as
CVE-2019-16256 and
CVE-2019-16257, and by the
GSM Association in its
Coordinated Vulnerability Disclosure process as CVD-2019-0026 == Impact ==