Karsten Nohl, founder of Security Research Labs in Berlin, told the New York Times on Sunday that he has discovered a flaw in the encryption technology used in some SIM cards. This vulnerability could allow hackers to eavesdrop on the device owner while in a call, make purchases through mobile payment systems, and possibly even impersonate the device owner. Around 750 million devices could be vulnerable to attacks thanks to this flaw.
According to the paper, the newly discovered encryption hole allows the attacker to obtain the SIM card's 56-digit key. Nohl said that he was able to acquire a key by sending the target device an SMS using a false signature for the device's wireless carrier. Typically, both the device and wireless carrier verify their identities by comparing digital signatures. If a device recognizes a false signature, it will end transmission.
Nohl said that 75 percent of the messages he sent to cellphones recognized the fake signature and immediately ended transmission. However, the other 25 percent broke off communication as well, but they also sent error messages back to Nohl that included their own encrypted digital signatures. That was enough information for Nohl to derive the SIM card's encryption key.
Thus with the correct key in hand, Nohl proceeded to send a virus to the SIM card using a text message. This virus allowed him to perform the hacks as previously stated: eavesdropping, making purchases and so on. He was able to gain access to the device in just two minutes using a PC.
"We can remotely install software on a handset that operates completely independently from your phone," Nohl said. "We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."
The flaw was discovered in an encryption method developed in the 1970s called D.E.S., or data encryption standard. Over the last ten years, many wireless carriers have adopted a stronger method of encryption called Triple D.E.S., but currently, around half of the six billion cellphones in use today use the older D.E.S. encryption method. This encryption is supposed to disguise the SIM card and the phone's unique signature.
After discovering the flaw, Nohl spent the next two years testing around 1,000 SIM cards on cellphones connected to mobile networks in Europe and North America. These phones and SIM cards were owned and used by himself and his fellow members on the research team. When his research was concluded, Nohl shared the results with the GSM Association through a process of "responsible disclosure."
Nohl told the GSM Association and chip makers that they need to ditch D.E.S. encryption in favor of the newer standards. They also need to use a better filtering system to block the kind of messages he sent, which in turn provided the info needed to gather SIM keys. Consumers using devices with SIM cards older than three years are suggested to request a new one from their wireless carriers.
The full details of Nohl's findings will be revealed on August 1 during the Black Hat conference in Las Vegas. Nohl said he will not disclose the identities of the wireless carriers using the vulnerable SIM cards.
