As many as one quarter of all mobile phones in use in the world today could be vulnerable to an SMS attack that allows hackers to gain full control of the phone. The vulnerability was discovered in the outdated, 1970s-era cryptography technique called DES encryption that’s still used by around half of all SIM cards.
Karsten Nohl, founder of Germany’s Security Research Labs, whose previous hacking achievements including cracking transport smartcard keys using a microscope and breaking through GPRS encryption, gave details of the attack to both the New York Times and Forbes. He plans to outline the vulnerability in more detail at the Black Hat Conference in Las Vegas next month.
Nohl hasn’t yet revealed the full details of how the vulnerability works, but he told the two websites that it was possible to obtain the 56-bit DES encryption key of a SIM card simply by sending an SMS that tricks the phone into thinking it comes from the phone’s operator. Once in possession of the key, Kohl then sends a second SMS that installs software on the target device, giving him full control over the phone – and with it the ability to eavesdrop on calls, steal personal data including passwords and logins, and send or make calls to premium rate phone numbers.
“We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”
According to Forbes, the source of the vulnerability is thought to be an Oracle product known as Java Card, which is meant to provide a “secure environment for applications that run on smart cards and other devices with limited memory and processing capabilities.
Worldwide, there are thought to be more than 7 billion SIM cards currently in use. To ensure security and privacy, all SIM cards use some kind of encryption when communicating with their carrier, but the standards for this encryption vary wildly from carrier to carrier. According to Nohl, around half of all SIM cards still use the outdated DES (Date Encryption Standard) from the 1970s, which is the weakest form of encryption, rather than the newer triple-DES. Not all DES encrypted phones are susceptible to this exploit, however in a sample of 1,000 SIMs tested over a two year period, around 250 of these were found to be vulnerable.
Most US users are probably safe from the exploit. According to Forbes, both Verizon and AT&T stated that they were aware of Nohl’s research, and insisted that their own SIM cards were not affected by the flaw – AT&T claims that all of its SIMS use triple-DES, though Verizon refused to explain why its own SIMs aren’t vulnerable. However a third carrier, Vodafone, refused to answer any questions about the flaw and its SIM card encryption methods, which suggests that at least some of its phones may be vulnerable.
Perhaps the real risk could be for mobile phone users in developing nations. SIM card-based payments are most common in African countries where banking infrastructure is lacking, and so the exploit would be particularly damaging to users in those countries if hackers are able to gain knowledge of it. In addition, Nohl says that the flaw could also hinder the deployment of NFC payments.
At least for now, we’re probably safe. Kohl says that while hackers now know about the flaw, it should take them at least six months to crack it. In the meantime, the vulnerability has already been disclosed to the GSM Association, which is planning to issue an advisory on how to fix the flaw to all mobile phone operators.
Appearing on NewsDesk this morning, SiliconANGLE Contributing Editor John Casaretto provides his own analysis of the SIM card vulnerability.
Casaretto acknowledges the fact that there are better encryption methods such as triple-DES and AES (Advanced Encryption Standard) and states that most new SIM cards are already equipped with the encryption method. He adds that the problem lies in older SIM cards but carriers are working to make even these older SIM cards more secured.
For consumers, there isn’t any easy way of telling if their own SIM uses the old encryption method, says Casaretto. However, if your SIM is three years or older, there’s a good chance that it’s still using the dated method. If this is the case, consumers can request a SIM card replacement from their carrier, he adds.
Casaretto goes onto explain the motivations of Kohl and his team. So-called ‘White Hat’ hackers are considered good guys in the industry, he explains. They search for security flaw in the hopes that the industry will address them and fortify their security measures for the sake of the consumers. This case in particular has a tendency to change industry norms since the vulnerability is widespread.
“If it’s something that affects just a small population, you notify the company, ‘this is how it works,’ ideally they fix it, if they don’t then you start to go public because it’s affecting a lot of people,” says Casaretto.
“If it’s widespread, you go down this route of public notifications so that if it affects one company but it also affects this other company, this company, and this company, now there’s a problem in the industry and that’s exactly what has happened here. A lot of SIM cards using this older technology it was the standard at one time and there’s too many old ones out there so it’s a pretty big hole and I think that this really forces people to make a lot of changes a lot quicker this way because this becomes a widespread and a well known vulnerability and there’s going to be a lot of people who will try to simulate the exact same thing to exploit it.”
For more of Casaretto’s Breaking Analysis, check out the NewsDesk video below: