The modem would be executing the AT commands from the SIM. The rest of the phone would not necessarily even have a way to know that an AT command had been requested, let alone have the power to control the response to the command.
I guess the software in charge of checking for incoming SMS messages should be sure to delete them from the SIM once they’ve been received, in the interests of limiting how much data is stored on the SIM.
For sure. However I don’t suppose it is possible to do that retrospectively with the Librem 5 v1 ???
What you may be suggesting could be done in a number of ways e.g. directly putting a filtering chip between the SIM and the modem. or e.g. making the SIM virtual and putting the CPU between the real SIM and the modem. But presumably it is too late for trickery like that. ???
Limited to what could be achieved retrofitted … perhaps the firmware on the modem could be updated so that all binary SMSs (aka data SMSs / could alternatively be called application SMSs) are passed to the host for approval before doing anything with them. That unfortunately requires trust in the modem.
This is why I wanted some available GPIO lines exposed as contacts on the motherboard. Given 5 pins (power control, clock & data for the card, clock & data for the modem) plus some ground line, it would be possible to build an interposer on a flexible circuit board which routes everything through the main CPU and as such gives you complete control over what is and is not sent to the SIM card.
That is going to be almost impossible. I don’t see Qualcomm (it’s their chips which are used in both of the modem options) doing this themselves, and I really don’t see them handing out the source code, toolchain and a means to sign the new radio binaries so that the chips accept them.
Well, I’m pretty sure that neither India nor China are on the list purely due to the number given.
You are probably right (whether it’s Qualcomm or the modem vendor). That option was only if they wanted to do it themselves. I did not intend to imply that Purism could or would do this but I did not make that clear.
They might want to do it themselves because they are responsible for a security flaw that one researcher pithily described in a link above as “pretty f*cking bad”, without the asterisk.
If you want your chip / modem described that way, leave the flaw in place.
Ofc, some mobile provider will claim that they blacklist certain SMS payload used for these attacks. But, I would not trust them. They could whitelist calling party numbers of authority / governmental “services”.
While the original topic title asks the question as to whether it affects the Librem 5, it seems to depend more on a) the SIM card, and b) the modem. It doesn’t even directly depend on the country. If your phone has a vulnerable SIM card and a complicit modem then your phone is potentially vulnerable in every country.
So in “proactive command is sent to ME” scenario - is ME here a baseband OS or Phone OS? It seems like phone (eg launch browser) which then could be easily contained. Otherwise if it is baseband OS - it’s a nasty nuisance which may cost you money (sms or call to caller-paid lines) but otherwise won’t cause significant breach of privacy in the current l5 design (baseband over usb). According to the article even “location” is mere country + network info.
It’s hard to say. Caliga’s post directly above you has a link to another description of the S@T attack and a video showing a proof of concept. The attacked victim phone appears to be going through the OS to perform its tasks - you can see the Android dialer and call window. Way back when, in the brief period of 30 minutes when my Samsung S5 had its stock OS, I remember it having a package called “SIM Toolkit” installed. I’m guessing that this is responsible for instructing the OS dialer to do its tasks.
That said, it’s quite possible for the baseband firmware to deal with this directly. I’d be surprised if, for some of the cases, it didn’t - from an engineering perspective, it seems very inefficient (yes, security, I know) to go all the way up to the application CPU and then all the way down when you can just handle things immediately.
Also, from a perspective with somewhat limited relevance, I remember that my old Nokia 6300 (candybar form factor GSM dumbphone) and later on a Nokia E55 (candybar factor 3G smartphone, a beautiful device although there were never that many applications for it) actually asked me whether I wanted to allow the SIM card to send a message - this happened when I used it with a new SIM card and presumably the network wanted to autoconfigure my device. So at least some devices are immune to this attack.
Simjacker/WIBattack – protection tools now available:
– 6% of 800 SIM cards in recent years were vulnerable to Simjacker, a 2nd vulnerability affects an additional 3.5%.
– SIMtester checks any SIM card for both vulnerabilities: https://opensource.srlabs.de/projects/simtester
– SnoopSnitch warns about binary