After three years of research, hacker/cryptographer Karsten Nohl finally found encryption and software flaws that could affect millions of SIM cards, and clear the path on mobile phones for surveillance and fraud.
Karsten Nohl will be presenting his findings at the Black Hat security conference in Las Vegas on July 31, his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS. The hack is based on an old security standard and some code flaws, it will allow hackers all around the world to remotely infect a SIM with a virus that sends premium text messages (draining a mobile phone bill), re-direct and record calls, and carry out several payment system fraud.
Payment fraud will be a major problem for mobile users in several countries, where SIM card based payments are standardized. The deployment of NFC payment technology could also be at risk, as well as the ability for carriers to track charges to each caller’s account.
An eighth of the world’s SIM cards could be vulnerable (about 500 000 000 mobile devices), at least two large carriers have already asked their whitehats to find a patch for the SIM vulnerability, which they will share with other operators through the wireless trade body GSMA. Actually companies are open to work cooperatively on security topics because the competition is somewhere else. The competition is organized crime, not AT&T versus T-Mobile i.e. AT&T confirmed that they used SIMs with triple Data Encryption Standards (3DES) for almost a decade, it should be enough protection to not be vulnerable to the flaw.
“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it” -Nohl
SIM cards are computers with their own operating system and softwares (using Java Card code). They currently uses a wide variety of DES security protocol. DES 1.0 was invented by IBM in the 70s then patched by the NSA a few years later. We know that AT&T and about every carriers in Germany (current leader in security) moved away from using the old DES. There is no up to date informations about the carriers here in ‘Muhrica, but we do know some of them are still using old DES protocol. The problem is all about Java (Again..) Card code and OTA (over-the-air programming). OTA is basically the patching system, if operators need to update something on your SIM, i.e allowing interoperability with a carrier in another country, it will execute the right Java Card programs on your SIM by sending your mobile a binary SMS. This is a text message you will never see. When you play with OTA protocol, some cards will refuse the command due to an incorrect cryptographic signature, while a few of those would also put a cryptographic signature on this error message. With the rainbow tables method it’s super easy to crack the encryption key on the SIM card, it takes about one minute. The encryption key will give you “root” access on the phone, you can load any application on the SIM, including virus.
In fact, Karsten Nohl found a second flaw, it allows even deeper hacking on SIMs and is caused by a mistake on the part of SIM card manufacturers (Gemalto and Oberthur Technologies). Java Card uses sandboxing containment protocol for Paypal, Visa and other high level protocol. They are basically shielded from one another and the rest of the SIM card. With the proper virus injection, you can browse the sandbox files repositories, and this is a major, major, flaw.
Black Hat USA is the show that sets the benchmark for all other security conferences. The Briefings take place regularly in Las Vegas, Barcelona, Amsterdam, Abu Dhabi and, occasionally, Tokyo. An event dedicated to the Federal Agencies is also organized in Washington, D.C. This year conference’s topics will rotate around Android hacking and Hacking/Attacking automated homes. I will follow the conference with great interest and give you all the information you need after the briefing.