Encryption Bug in SIM Card Can be Used to Hack Millions of Phones

Encryption Bug in SIM Card Can be Used to Hack Millions of Phones

  

About half of the SIM cards in use today still rely on the older DES encryption rather than the newer and more secure triple-DES, Nohl estimated. Over a two-year period, Nohl tested 1,000 SIM cards in Europe and North America and found that a quarter of them were vulnerable to attack. He believed that as many as 750 million phones may be affected by this flaw.

"Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it," Nohl told Forbes.

Description of Attack
Carriers can send text messages for billing purposes and to confirm mobile transactions. Devices rely on digital signatures to verify the carrier is the one sending the message. Nohl sent out fake messages pretending to be from the mobile carrier containing a false signature. In three-quarters of messages sent to mobile phones using DES, the handset correctly flagged the fake signature and terminated the communication. However, in a quarter of cases, the handset sent an error message back and icluded its encrypted digital signature. Nohl was able to derive the SIM's digital key from that signature, Forbes reported.

"Different shipments of SIM cards either have [the bug] or not," Nohl told Forbes. "It's very random," he said.

With the SIM key in hand, Nohl could send another text message to install software on the targeted phone to perform a wide range of malicious activities, including sending out text messages to premium-rate numbers, eavesdropping on calls, re-directing incoming calls to other numbers, or even carry out payment system fraud, according to Forbes. Nohl claimed the attack itself took him only a few minutes to carry out from a PC.

"We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account," Nohl told the New York Times

ADVERTISEMENohl has already disclosed the vulnerability to the GSM Association, a mobile industry group based in London. GSMA had already notified network operators and SIM vendors who could be affected. "A minority of SIMS produced against older standards could be vulnerable," the group's spokesperson told The New York Times.

The International Telecommunications Union, a United Nations group, told Reuters the research was "hugely significant," and that the group will be notifying telecommunications regulators and other government agencies in nearly 200 countries. ITU will also reach out to mobile companies, academics and other industry experts, Reuters reported.

With the information about vulnerability now public, cyber-criminals will likely take at least six months to crack the flaw, Nohl said. This will give carriers and the rest of the wireless carriers time to implement the fixes.

Nohl told Forbes the industry should use better filtering technology to block spoofed messages and to phase out SIM cards using DES. Consumers using SIM cards more than three years old should request new cards (likely using triple-DES) from their carriers, Nohl recommended.

Image via Flikr user