Login Sign Up

CVE-2019-16256

9.8 CRITICAL

📋 TL;DR

CVE-2019-16256 (Simjacker) is a vulnerability in the SIMalliance Toolbox Browser (S@T Browser) on UICC chips in mobile devices that allows remote attackers to send malicious SIM Toolkit instructions via SMS messages. This enables attackers to retrieve sensitive information like location data and IMEI numbers, execute commands, or access other device data without user interaction. The vulnerability primarily affects Samsung and other mobile devices with vulnerable SIM cards.

💻 Affected Systems

Products:
  • Samsung mobile devices
  • Other mobile devices with vulnerable SIM cards
Versions: All versions with vulnerable SIM cards
Operating Systems: Android, Other mobile OS with vulnerable SIM implementation
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability resides in the SIM card's S@T Browser implementation, not the device OS. Affects devices from multiple manufacturers with vulnerable SIM cards.

📦 What is this software?

S\@t Browser by Trustedconnectivityalliance

View all CVEs affecting S\@t Browser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could track victims' real-time locations, steal personal data, execute arbitrary commands on the device, and potentially use the compromised device as an entry point for further attacks.

🟠

Likely Case

Targeted surveillance and data theft from specific individuals, with attackers harvesting location data, IMEI information, and potentially other device identifiers.

🟢

If Mitigated

Limited impact with proper SMS filtering, network-level protections, and updated SIM cards, though some information leakage might still occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted SMS messages to target devices. Attack has been observed in real-world surveillance campaigns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SIM card firmware updates from mobile operators

Vendor Advisory: https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile

Restart Required: No

Instructions:

1. Contact your mobile operator to check if your SIM card is vulnerable. 2. Request a SIM card replacement if vulnerable. 3. Mobile operators should deploy network-level filtering for malicious STK commands.

🔧 Temporary Workarounds

Disable STK/S@T Browser functionality

all

Disable SIM Toolkit functionality on the device if possible

SMS filtering at network level

all

Mobile operators should implement filtering for malicious STK commands in SMS messages

🧯 If You Can't Patch

  • Use devices from different mobile operators with updated SIM cards
  • Consider using devices without SIM Toolkit functionality when possible

🔍 How to Verify

Check if Vulnerable:

Contact mobile operator to check SIM card vulnerability status. Check device for unexpected location sharing or unusual SMS activity.

Check Version:

No direct command - requires contacting mobile operator for SIM card details

Verify Fix Applied:

Confirm with mobile operator that SIM card has been replaced with non-vulnerable version. Monitor for suspicious SMS messages.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SMS messages with binary/hex content
  • Unexpected location sharing events
  • SIM Toolkit command execution logs

Network Indicators:

  • SMS messages containing STK commands to multiple devices
  • Unusual SMS traffic patterns

SIEM Query:

sms_content CONTAINS "D0" OR sms_content CONTAINS "STK" AND sms_length > 160

📊 Metadata

CVE ID: CVE-2019-16256
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 12, 2019
Last Updated: November 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON