GOPHERSET: NSA Exploit of the Day
Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS).
(TS//SI//REL) Modern SIM cards (Phase 2+) have an application program interface known as the SIM Toolkit (STK). The STK has a suite of proactive commands that allow the SIM card to issue commands and make requests to the handset. GOPHERSET uses STK commands to retrieve the requested information and to exfiltrate data via SMS. After the GOPHERSET file is compiled, the program is loaded onto the SIM card using either a Universal Serial Bus (USB) smartcard reader or via over-the-air provisioning. In both cases, keys to the card may be required to install the application depending on the service provider’s security configuration.
Unit Cost: $0
Status: (U//FOUO) Released. Has not been deployed.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.