SIM card flaw could put nearly half a billion phones at risk

[Shawn Knight]

Smartphones have been the target of countless hacking attempts although there has always been one part of the phone that remained foolproof – the SIM card. That unfortunately is no longer the case as a German cryptographer by the name of Karsten Nohl claims to have found encryption and software flaws that could potentially affect millions of users.

Nohl and his team have been working to find SIM card vulnerabilities for the past three years. What he ultimately found, a two-part flaw that is based on an old security standard and poorly configured code, could allow a hacker to infect a SIM card with a virus. Once compromised, the hacker could force a handset to send premium text messages, carry out payment system fraud or even record and redirect phone calls.

After testing nearly 1,000 SIM cards, Nohl concluded that there simply isn’t an obvious pattern to go by. As he noted, different shipments of SIM cards either do or do not have the bug. His research found that slightly less than a quarter of all the SIM cards he tested could be hacked. He further pointed out that when you factor in varying encryption methods used around the world, nearly half a billion mobile devices could be vulnerable.

The good news (for now, at least) is that he believes cyber criminals have not yet discovered the bug. Now that news of it is spreading, however, it’ll probably only take around six months or so before hackers are able to crack it. With any luck, the wireless industry will have taken note and issued a fix.

Nohl will be presenting his findings at the Black Hat security conference in Las Vegas at the end of the month.

Permalink to story.

https://www.techspot.com/news/53303-sim-card-flaw-could-put-nearly-half-a-billion-phones-at-risk.html

 

[veLa]

Very interesting development here. Mobile phone security is really lacking at the moment.

 

[Jad Chaar]

Yeah, very interesting.

 

[Guest]

Well if thi happens with a SIM CARD....what should we expect about the chip on a Credit Card?.....

 

[Guest]

The risk analysis is total bullshit. Does anyone have access to all the SIMs in the field? NO, only MNOs has that. A vulnerability in a SIM is only effective in cracking one SIM physically at a time. For it to be risky, you need to be the network operator to run massively a campaign to crack the card. However, as the operator, they should already have the secret codes of these SIM. So, what is there to hack for the operator?

In the nutshell, we should only panick if telco operator networks are hacked. Then, something really serious can happen. Hacking one SIM at a time is laughable especially with the high chunk rate. Readers that got so scared, think again.

The credit cards have their own standardizations as well. Enforced by the banks and master / visa as well. So, naive to think a telecom vulnerability can somehow equate to credit cards as well.

 

[Skidmarksdeluxe]

There's flaws in everything, that's why we're human. I'm not gonna loose any sleep over this.

 

[Darth Shiv]

Contact and contactless chips are an entirely different kettle of fish. The original mifare cards had retarded security. Non-existent. Newer ones are better but not sure if they have solved the obvious issues.

 

[gamoniac]

... a two-part flaw that is based on an old security standard and poorly configured code...

Yet it took him and his team three years (after 1000 SIM cards) to find it, and only 1 in 4 can be hacked by this flaw? That is pretty good in my book. Now Mr. Nohl, please do us all a big favor and keep this flaw to yourself because no hacker will spend 3-5 years looking for this flaw. They have easier targets to exploit and that is enough headache for all of us.

 

[Guest]

Absolutely nothing at all, because they have little in common.