Sign up for our newsletter
Technology / Cybersecurity

Security researchers claim millions of SIM cards vulnerable to hacking

Researchers at Security Research Labs have discovered a vulnerability on SIM cards, which will allow hackers to take control of a phone.

The vulnerability relates to cards using Data Encryption Standard (DES), developed in 1970s.

Security Research Labs said with over seven billion cards in active use, SIMs may well be the most widely used security token in the world.

"Through over-the-air (OTA) updates deployed via SMS, the cards are even extensible through custom Java software. While this extensibility is rarely used so far, its existence already poses a critical hacking risk," the security firm said.

White papers from our partners

Researchers said to derive a DES OTA key, an attacker starts by sending a binary SMS to a target device.

According to the researchers, the SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS.

Security Research Labs said a rainbow table resolves this plaintext-signature tuple to a 56-bit DES key within two minutes on a standard computer.

Security Research Labs founder Karsten Nohl told the New York Times that about 750 million phones may be vulnerable to attacks.

Nohl said: "We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can read your SMSes. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."

Reuters reported that a United Nations group which advises nations on cybersecurity is planning to send out an alert about significant vulnerabilities in mobile phone technology.

ITU Secretary General Hamadoun Touré told Reuters, "These findings show us where we could be heading in terms of cybersecurity risks."
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.