Latest in Gear

Image credit: William_Potter via Getty Images

Second SIM card attack can send texts and phone location data

The number of potential victims may not be as bad as claimed, though.
323 Shares
Share
Tweet
Share
Save

Sponsored Links

William_Potter via Getty Images

Simjacker isn't the only SIM-based attack that could put phones at risk. Ginno Security Lab has detailed another exploit, WIBattack, that compromises the WIB (Wireless Internet Browser) app on some SIM cards to take control of key phone functions. Like its counterpart, WIBattack infects a phone through a carefully formatted SMS text that runs instructions on cards that don't have key security features enabled. If successful, the intruders can send texts, start calls, point your web browser to specific sties, display text and send location info.

The vulnerability could be used to track a device's location, point users to phishing websites and rack up fees on calls to toll numbers, among other tricks. Ginno has briefed the GSM Association on WIBattack, although it's not clear what if anything the industry body is doing to address the issue.

It's not certain just how many people are truly vulnerable. While Ginno warns that "hundreds of millions" of phones with WIB-capable SIM cards might be at risk, ZDNet obtained an SRLabs report suggesting the real number of potential victims might be considerably lower. Out of 800 tested cards, only 10.7 percent had WIB installed, and 3.5 percent of them were vulnerable to a Simjacker-like attack.

There's also the question of whether or not this would be the most effective method for would-be attackers. It may be easier to try SIM hijacking (which can simply involve less-than-scrupulous carrier staff) or an SS7 exploit. Still, this is another significant flaw that may be difficult to completely eliminate until networks and users upgrade to more secure SIMs.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
323 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Uber's first safety review contains thousands of sexual assault reports

Uber's first safety review contains thousands of sexual assault reports

View
Qualcomm teams up with 'Pokémon Go' developer to make AR glasses

Qualcomm teams up with 'Pokémon Go' developer to make AR glasses

View
Wirecutter's best deals - Jabra Elite 85h Bluetooth headphones drop to $200

Wirecutter's best deals - Jabra Elite 85h Bluetooth headphones drop to $200

View
Microsoft's redesigned Office mobile apps read text out loud

Microsoft's redesigned Office mobile apps read text out loud

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr