Cell phone SIM Card hack / exploit identified (RT Report)

2 posts / 0 new
Last post
Strongsidejedi
Strongsidejedi's picture
Offline
Joined: 06/14/2011
Hat Tips: 11801
Posts: 2281
Cell phone SIM Card hack / exploit identified (RT Report)

http://rt.com/news/karsten-nohl-sim-hack-468/

Code-breaker Karsten Nohl: ‘Phone users can’t do much against SIM hackers’

Published time: July 23, 2013 13:25

 

Renowned German code-breaker Karsten Nohl, who uncovered a design flaw in around 750 million SIM cards around the world leaving them vulnerable to hack attacks, told RT that phone users are helpless against hackers.

“SIM cards were the last widely-used [piece of] technology left that no one had broken yet,” said Nohl, who made headlines on Sunday saying that his team found a flaw that would allow hackers to remotely access personal data and authorize illegal transactions within minutes.

---

The bug affects the SIM card, the plastic circuit board that contains key phone user data, which is considered to be the most-secure part of the phone, and has not been hacked in a similar fashion in a decade. By finding out the unique encryption key of each SIM card with just one hidden text message, Nohl is able to get complete remote control of an individual’s phone.

Nohl and the programming flaw can be exploited both for financial fraud and surveillance.

“The worst case scenario that I could foresee is criminals acquiring enough information to hack a few million cards in the country,” Nohl added. “The main short term threat after criminals finally acquire this attack method is fraud. They will abuse the cards to send premium SMS, for instance. They can also steal banking tokens from them in countries where that is used.”

The other thing to worry about Nohl warns is surveillance, “because the SIM cards do encrypt all the voice communications originating from a phone as well as data communication. All of this can be intercepted and decoded by a well-equipped surveillance team.”

---

The phone users are left in the dark in all of this as there is no way to tell when a SIM card is being hacked. “The best bet currently is to wait for the network to implement countermeasures before the abuse starts and should abuse happen in your network, ask for a new SIM card,” explains Nohl.

Nohl said his team had been unsuccessfully attempting to breach SIM cards since 2011, using over-the-air-programming (OTA) – unseen text messages that are sent by the mobile phone operator to change settings on the phone of a user within their network.

In the end, the flaw was found by accident after Nohl noticed that when he attempted to send certain incorrect OTA commands, he would receive an error message that also contained the unique encryption code belonging to that phone – its virtual key. The code was easily decrypted – Nohl says the process takes him one minute. With the phone now at his disposal, he could command it to do anything from his own computer, without the user ever suspecting anything was amiss.

The bug was not found in every SIM card tested and Nohl estimates that it is present in about a quarter of SIM cards using Data Encryption Standard (DES), putting about 750 million users worldwide at risk.

While leading companies have released statements acknowledging the flaw, and claiming they are working to eradicate it, authorities have urged calm among ordinary users, noting that no criminal damage appears to have been done so far.

Edited by admin on 11/08/2014 - 06:01
Strongsidejedi
Strongsidejedi's picture
Offline
Joined: 06/14/2011
Hat Tips: 11801
Posts: 2281
more on sim cards and phones

Response from the cell carriers is published in this story:

From http://www.digitaltrends.com/mobile/sim-card-hack-us-owners-free/

"Luckily, you may not have to worry. Despite the many vague and scary reports circulating, if you live in the United States, your SIM card (that little card that usually sits under your phone’s battery) is probably not at risk of being hacked.

Representatives from all four major wireless carriers in the United States – AT&T, Sprint, T-Mobile, and Verizon – have confirmed with Digital Trends that they do not use the older, 56-bit DES (Data Encryption Standard) SIMs that are vulnerable to Nohl’s exploit. This aging standard from 1977 is still used in some areas around the world, and is far less secure than newer 1998 standards like AES (Advanced Encryption Standard) and Triple DES. This means that the vast majority of subscribers in the United States are safe. Most smaller carriers like Virgin, Boost, Ting, and others piggy back off of the major carrier networks, making them safe from this exploit as well.

If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe.

Sprint and Verizon, which didn’t use SIM cards at all until they began deploying high-speed 4G LTE networks, told us that “100 percent” of their SIM cards use newer, safer encryption standards.

“Verizon SIM cards are not vulnerable to this potential attack because of the way they are designed and manufactured,” said a Verizon representative. “We take the privacy and security of our customers very seriously, and will continue to work with our SIM card vendors, industry groups, and others to prevent and thwart any security concerns.”

AT&T and T-Mobile did use the vulnerable DES standard in the past, but have used Triple DES for many years. AT&T representatives said that it has not used the hackable standard for “nearly a decade.” T-Mobile hasn’t used it for “at least seven years.” If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe."

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Topic locked
Syndicate contentComments for "Cell phone SIM Card hack / exploit identified (RT Report)"