Last bastion breached in phone security
A group of European cryptographers have found a fatal flaw in some SIM cards, exposing the possibility of hacking the only part of a mobile phone still considered secure.
German encryption expert Karsten Nohl worked for over three years to try and identify a weakness in the card at the heart of millions of mobile devices; he says he has now found flaws in the software and encryption that could compromise all levels of phone security.
Nohl tested around a thousand SIM cards for all kinds of vulnerabilities, eventually finding a fault that could be exploited based on an old security standard and badly configured code. Access to the SIM card could theoretically allow hackers to remotely infect a SIM to send premium text messages (draining a mobile phone bill), surreptitiously re-direct and record calls, and — with the right combination of bugs — carry out payment system fraud.
Mr Nohl, who is the chief scientist at risk management firm Security Research Labs, says it may not spell the end of the ubiquitous SIM; “Different shipments of SIM cards either have [the bug] or not,” he says, “it’s very random.”
The problem seemingly stems from mobile phone carriers with slightly lower standards of programming, which may still adhere to a digital encryption standard introduced in the 1970s and used on first-generation SIMS. Many larger companies have reportedly updated their protocols in the last few decades.
Since the exploit was discovered several major international mobile phone carriers have expressed interest in working together to create a new standard of security. Karsten Nohl says it is likely hacker communities were already aware of the possible back-door, and they definitely are now. He believes the relatively low proportion of cards vulnerable to attacks and the industry involvement in plugging the gap will result in an effective fix before the problem gets out of hand.
A full report on SIM card flaws will be presented at the upcoming Black Hat Forum.