Skip to main content
    Security

    SIMjacker Explained: The Silent SMS Vulnerability Threatening Billions

    GhostSims Security Team
    December 28, 2024
    5 min read
    Share:
    SIMjacker Explained: The Silent SMS Vulnerability Threatening Billions

    What is SIMjacker?

    SIMjacker is a critical vulnerability discovered in 2019 that affects over 1 billion mobile devices worldwide. It exploits the SIM Application Toolkit (STK) technology embedded in SIM cards to execute commands without user knowledge or consent.

    How SIMjacker Works

    The SIM Application Toolkit (STK)

    STK is a set of commands programmed into your SIM card by carriers. It enables SIM-based menus and applications, remote SIM management, and value-added services from carriers.

    The problem? STK commands can be triggered by specially crafted SMS messages—and many carriers don't authenticate these commands properly.

    The Attack Sequence

    1. Attacker sends malicious SMS - A binary SMS containing STK commands
    2. SIM processes silently - No notification to user, no SMS in inbox
    3. Command execution - SIM runs commands like location requests
    4. Data exfiltration - Information sent back to attacker via SMS
    5. No trace left - Attack is invisible to device owner

    The S@T Browser Vulnerability

    The specific vulnerability exploits the S@T Browser (SIMalliance Toolbox Browser), software running on most SIM cards:

    • Present on SIMs from over 60 mobile operators
    • Affects devices across 30+ countries
    • Works regardless of phone operating system
    • No way for users to disable it

    Protection Strategies

    The most effective protection is using an encrypted SIM card that uses hardened SIM firmware without S@T Browser and blocks all binary SMS at the network level.

    GhostSims encrypted SIM cards are built from the ground up with security-first firmware that eliminates SIMjacker and similar STK-based vulnerabilities.

    Ready to Protect Your Privacy?

    Get military-grade encrypted SIM cards with IMSI masking, end-to-end encryption, and true no-log privacy. Start protecting your communications today.

    Related Articles

    We use cookies Learn more