That’s already the case AFAIK.
Hard to say… It’s probably disconnected when not in a call, but might auto-connect when a call starts, depends on what audio server (pulseaudio?) is used, and it’s settings. If the auto-connect-on-call is tied to the UI, with the make-call and accept-call commands initiating the connection, we’re good. If it’s connected in response to the AT command by the modem, that should be changed.
The modem would be executing the AT commands from the SIM. The rest of the phone would not necessarily even have a way to know that an AT command had been requested, let alone have the power to control the response to the command.
I guess the software in charge of checking for incoming SMS messages should be sure to delete them from the SIM once they’ve been received, in the interests of limiting how much data is stored on the SIM.
yeah that broadband will stay locked-tight for the foreseable future it seems …
That does leave the possibility to fake outgoing calls, which could be a problem (either premium calls, or calls to nefarious groups or similar).
Paid SMS are another attack vector, or SMS confirming paid subscriptions. Intercepting authentication SMS (e.g. from on-line banking) should be also possible.
For sure. However I don’t suppose it is possible to do that retrospectively with the Librem 5 v1 ???
What you may be suggesting could be done in a number of ways e.g. directly putting a filtering chip between the SIM and the modem. or e.g. making the SIM virtual and putting the CPU between the real SIM and the modem. But presumably it is too late for trickery like that. ???
Limited to what could be achieved retrofitted … perhaps the firmware on the modem could be updated so that all binary SMSs (aka data SMSs / could alternatively be called application SMSs) are passed to the host for approval before doing anything with them. That unfortunately requires trust in the modem.
(Also in part being discussed in this topic Detecting so called "silent SMS" )
The article also contains the recommendation that there be
filtering at the network level to intercept and block “illegitimate binary SMS messages”
That requires trust in the government and the telco, and confidence in their competence. It isn’t a good long term solution.
The article comments
we have observed the S@T protocol being used by mobile operators in at least 30 countries whose cumulative population adds up to over a billion people
Does anyone have a list of those 30 countries? That would narrow it down to people who know for certain that they should be worried about this.
Experience suggests that these things can get worse before they get better.
The first researcher reports … hey, I just found a way to do XYZ.
The second researcher, after contemplating the first researcher’s research, comments … that’s cool but it can also do ABC.
…
I would therefore caution against indifference.
What would be extra dangerous is if there are undocumented commands in the SIM, since the modem may pass the “code” through unvalidated.
I realized all of that once the others threw in some facts on the matter
This is why I wanted some available GPIO lines exposed as contacts on the motherboard. Given 5 pins (power control, clock & data for the card, clock & data for the modem) plus some ground line, it would be possible to build an interposer on a flexible circuit board which routes everything through the main CPU and as such gives you complete control over what is and is not sent to the SIM card.
That is going to be almost impossible. I don’t see Qualcomm (it’s their chips which are used in both of the modem options) doing this themselves, and I really don’t see them handing out the source code, toolchain and a means to sign the new radio binaries so that the chips accept them.
Well, I’m pretty sure that neither India nor China are on the list purely due to the number given.
You are probably right (whether it’s Qualcomm or the modem vendor). That option was only if they wanted to do it themselves. I did not intend to imply that Purism could or would do this but I did not make that clear.
They might want to do it themselves because they are responsible for a security flaw that one researcher pithily described in a link above as “pretty f*cking bad”, without the asterisk.
If you want your chip / modem described that way, leave the flaw in place.
I thought the same but that doesn’t help me.
New post by Nicole Faerber
Great article (and interesting to know that forum posts can influence what gets posted on the blog). It might be worth mentioning though that Verizon, Sprint, AT&T, and T-Mobile have said that they are not impacted by the exploit, at least in America, even if some of their responses weren’t very convincing.
Ofc, some mobile provider will claim that they blacklist certain SMS payload used for these attacks. But, I would not trust them. They could whitelist calling party numbers of authority / governmental “services”.
Not necessarily: I can imagine that Nicole and/or others were on this without being prompted by us!
I still don’t know which 30 countries but, along with the US, Australia seems to have ruled itself out: https://www.itwire.com/security/simjacker-australians-are-safe.html
While the original topic title asks the question as to whether it affects the Librem 5, it seems to depend more on a) the SIM card, and b) the modem. It doesn’t even directly depend on the country. If your phone has a vulnerable SIM card and a complicit modem then your phone is potentially vulnerable in every country.
After S@T comes WIB. To be continued…
So in “proactive command is sent to ME” scenario - is ME here a baseband OS or Phone OS? It seems like phone (eg launch browser) which then could be easily contained. Otherwise if it is baseband OS - it’s a nasty nuisance which may cost you money (sms or call to caller-paid lines) but otherwise won’t cause significant breach of privacy in the current l5 design (baseband over usb). According to the article even “location” is mere country + network info.