A flaw in the encryption technology used by some SIM cards can allow attackers to make the target phone download malicious apps and even effectively clone a user’s card in order to impersonate the device, a German security researcher has found.
After research that lasted some two years and included over a thousand tested devices and the SIMs in them, Karsten Nohl, chief scientist at the Berlin-based Security Research Labs, has concluded that some 500 million SIMs still in use around the world might be vulnerable to the attack.
The hack starts when the attacker sends a command simulating that of the legitimate carrier via SMS to the target device. As the attacker hasn’t got the correct encryption key, the phone does not accept the command, but returns an error message signed with the correct key.
The vulnerable SIMs are those that still use the Data Encryption Standard (DES) for encrypting the key. This encryption is easily broken, and can then be used to remotely reconfigure the SIM so that it accepts further instruction such as to install spying apps without the user being aware of it.
Knowing the encryption key also allows the attacker to clone the SIM, and use the cloned one to authenticate himself as the user. All in all, it takes around to minutes to effect the attack from any computer.
Nohl has been in contact with the GSM Association about his research and has shared with them the results. He is also scheduled to appear this week at the Black Hat Conference in Vegas, where he will demonstrate the exploit.
But, according to the NYT, he doesn’t plan on disclosing in Vegas which operators still use the vulnerable SIM cards, so we can’t actually know if we are in danger or not. For that, we’ll have to wait for December, when he plans of publishing a list of them at the Chaos Communication Congress.