There’s a security vulnerability that has been discovered by a researcher from Germany. It’s related to mobile SIM card encryption that can potentially enable hackers to take control of host handsets remotely.
According to NYT’s publication, cards using DES (Data Encryption Standard are the most vulnerable).
This is on old standard that several manufacturers have stopped using, but still several SIM cards are now using it.
Here’s the report from Kevin O’Brien from The Times:
“Karsten Nohl, founder of Security Research Labs in Berlin, said the encryption hole allowed outsiders to obtain a SIM card’s digital key, a 56-digit sequence that opens the chip up to modification. With that key in hand, Mr. Nohl said, he was able to send a virus to the SIM card through a text message, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone’s owner.”
It’s also stated in the report that it would take Nohl only two minutes to complete the entire process with a typical PC. He also estimates SIM cards in about 750 million phones that are prone to attacks.
Mr. Nohl also said the software can be remotely installed on any handset that is independent of the phone. They can spy you, steal data from SIM card, read your SMS and calls and go as far as to steal your phone identity and change your account.
The method was tested by Nohl on 1,000 cards across Europe and North America. DES is currently deployed by three million phone SIMs around the globe, and 25% are vulnerable to attack. However, he also noted most carriers now use AES SIMs.
The vulnerability has been reported to GSMA, the panel who sees how GSM networks are deployed, and they have made SIM makers and involved parties aware of the issue. Nohl is expected to reveal more details about the exploit at Black Hat event in August.