This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

SIM card DES flaw could affect up to 500 million users

Share this article:

Flaws in SIM cards could allow an attacker to take control of one and even clone it.

Presenting at the Black Hat conference this week in Las Vegas, German security researcher Karsten Nohl will present his findings based on the tests of 1,000 SIM cards.

According to Forbes, the encryption and software flaws are based on an old security standard and badly configured code, and could allow hackers to remotely infect a SIM with a virus that sends premium text messages, surreptitiously re-direct and record calls, and carry out payment system fraud, with the right combination of bugs.

Nohl said that just under a quarter of all the SIM cards he tested could be hacked, but estimated that an eighth of the world's SIM cards could be vulnerable, or about half a billion mobile devices. He also said the hack only works on SIMs that use an old encryption technology known as DES.

Nohl said in a blog post that while security updates delivered in over-the-air updates deployed via SMS, the option exists to use state-of-the-art AES or the 3DES algorithm, but many (if not most) SIM cards still rely on the DES cipher.

“To derive a DES over-the-air key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. A rainbow table resolves this plaintext-signature tuple to a 56-bit DES key within two minutes on a standard computer,” he said.

He said that once the DES key is cracked, the attacker can send a signed binary SMS, which downloads Java applets onto the SIM. These applets can send SMS messages, change voicemail numbers and query the phone location, among many other predefined functions.

To defend against the attack, Nohl recommended an improvement in SIM cards, the use of handset SMS firewalls and in-networking SMS filtering.

A spokeswoman for the GSMA, which represents nearly 800 mobile operators worldwide, said it has reviewed the research.

“We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," said GSMA spokeswoman Claire Cranton.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Password recovery made too easy

Password recovery made too easy

A senior malware analyst has slammed the availability of a `password recovery' utility from Freehostia, noting that the software actually uses network admin utilities to take credentials from the users' ...

Belgacom says alleged GCHQ APT attack cost firm £12 million

Belgacom says alleged GCHQ APT attack cost firm ...

One year on from a nation-state APT which infected 26,000 machines across 124 systems at telecom operator Belgacom and the firm has detailed the cost and manpower involved in the ...

CryptoWall compromises 40,000 UK citizens

CryptoWall compromises 40,000 UK citizens

Research just published claims to show that ransomware - in the shape of CryptoWall - is still generating healthy volumes of income for the cyber-criminals behind the code.