‘Simjacker’ Attack Can Track Phones Just by Sending a Text

Credit to Author: Brian Barrett| Date: Sat, 14 Sep 2019 13:00:00 +0000

White house spying, North Korea sanctions, and more of the week's top security news.

A lot of important news happened this week in the world of cybersecurity, but let's start with this: It's becoming increasingly hard to collect the money Equifax owes you from the settlement over its disastrous breach. Do not be cowed! You can still get your $125, or even more. Here's how. And with that, on to the news!

Despite the hoopla over Apple's latest iPhones, the biggest iOS news this month might be the recent large-scale hacking campaign against it. We took a look at what specifically is behind Apple's security woes: specifically, vulnerabilities related to how iOS deploys iMessage and Safari. And while IoT security has surprisingly improved of late, it still has a long, long, very extremely long way to go.

The Department of Justice this week announced the arrest of nearly 300 individuals in connection with email scams that bilked people out of millions. A new look at the 2016 cyberattack that triggered a blackout in Ukraine showed that the intended results may have been far more explosive than what transpired.

And national security adviser John Bolton has left the White House. For those keeping score at home, that's Donald Trump's third, leaving critics more wary about the stability of the US national security apparatus than ever.

The good news is that the so-called Simjacker attack revealed this week by AdaptiveMobile Security doesn't appear to affect the major US carriers. The bad news is that it does potentially affect a billion smartphone users across 30 countries. Hackers have apparently figured out that by simply sending a specifically crafted SMS, they can tell the SIM card in a target phone to "take over" the device, obtaining information like its location and potentially forcing it to make calls or send texts. As Ars Technical notes, the attack builds on research from Karsten Nohl in 2013. Just remember that however bad Simjacker seems, there's plenty worse out there targeting phones.

The Treasury Department this week leveled sanctions against three North Korean hacking groups, including the Lazarus Group, a team thought responsible for the 2014 hack of Sony Pictures and other major targets. Lazarus was also reportedly behind the WannaCry ransomware epidemic, though fortunately made enough mistakes that it was contained before it could spread too far. The other groups are known as "Bluenoroff" and "Andariel"—technically Lazarus subgroups—focused on financial theft and operations in South Korea, respectively. You might remember Bluenoroff's hack of Bangladeshi bank in 2016; it walked away with $81 million. In all, the United Nations estimates that North Korean cyberattacks have yielded around two billion dollars over time—so don't expect new sanctions to deter them.

Last year, the Department of Homeland Security revealed that Washington, DC was littered with so-called stingray devices, which impersonate cell towers to eavesdrop on communications. Politico this week reported that the spy tech was placed there by Israel in a likely attempt to spy on Donald Trump. The US response appears to have been muted or even nonexistent.

The extremely weird saga of Yujing Zhang continued this week, as the Chinese businesswoman who slipped past various safeguards at Donald Trump's Mar-a-Lago property this spring had her day in court. She was found guilty of trespassing and lying to federal agents, though still has apparently given no good explanation for why she was found carrying, as the New York Times reports, "four cellphones, a laptop and an external hard drive. In her room in a different hotel, they found nine flash drives, five cellphone SIM cards, a device used to detect hidden cameras and about $8,000 in cash." Sentencing will take place November 22.

https://www.wired.com/category/security/feed/