SIM card DES flaw could affect up to 500 million users

News by Dan Raywood

Flaws in SIM cards could allow an attacker to take control of one and even clone it.

Flaws in SIM cards could allow an attacker to take control of one and even clone it.

Presenting at the Black Hat conference this week in Las Vegas, German security researcher Karsten Nohl will present his findings based on the tests of 1,000 SIM cards.

According to Forbes, the encryption and software flaws are based on an old security standard and badly configured code, and could allow hackers to remotely infect a SIM with a virus that sends premium text messages, surreptitiously re-direct and record calls, and carry out payment system fraud, with the right combination of bugs.

Nohl said that just under a quarter of all the SIM cards he tested could be hacked, but estimated that an eighth of the world's SIM cards could be vulnerable, or about half a billion mobile devices. He also said the hack only works on SIMs that use an old encryption technology known as DES.

Nohl said in a blog post that while security updates delivered in over-the-air updates deployed via SMS, the option exists to use state-of-the-art AES or the 3DES algorithm, but many (if not most) SIM cards still rely on the DES cipher.

“To derive a DES over-the-air key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. A rainbow table resolves this plaintext-signature tuple to a 56-bit DES key within two minutes on a standard computer,” he said.

He said that once the DES key is cracked, the attacker can send a signed binary SMS, which downloads Java applets onto the SIM. These applets can send SMS messages, change voicemail numbers and query the phone location, among many other predefined functions.

To defend against the attack, Nohl recommended an improvement in SIM cards, the use of handset SMS firewalls and in-networking SMS filtering.

A spokeswoman for the GSMA, which represents nearly 800 mobile operators worldwide, said it has reviewed the research.

“We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," said GSMA spokeswoman Claire Cranton.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews