Two months have passed since researcher Karsten Nohl announced that he has found and managed to leverage critical flaws in the encryption technology used by some SIM cards, but the telecommunication companies are yet to react and fix them.
Yes, when he came out with the information and shared it with the telecoms, they say they would look into it. But, as time passed, Nohl became convinced that they are delaying action or even outright planning on not doing anything to fix at least one of them, because it allows them to silently roll out their own software updates to the thusly backdoored phones.
Nohl’s discovery allowed him to discover the DES encryption key of each vulnerable SIM card by simply sending a specially crafted SMS to the target device, then break it and use the knowledge to remotely reconfigure the SIM so that it accepts further instruction such as to install spying apps without the user being aware of it. He was even able to clone the card.
“We thought our story was one of white-hat hacking preventing criminal activities,” he shared with The Register, but said that because no direct crime was currently discovered happening because of these flaws, no investigation has been started about the matter.
Frustrated by the apparent ignoring by the telecom industry and SIM manufacturers, he decided to come out with more details about the vulnerabilities. These details could likely help hackers to replicate his own attacks, but could also force the companies’ hand to do something about it.
Among the companies he contacted was Gemalto, which is the world’s largest SIM card manufacturer, and he got told that the flaws were unimportant.
The companies are right on one thing. For the time being, the attack is rather complex and the attacker must have a good knowledge of the memory layout of the SIM, and of cryptography, and there is probably a minuscule number of attackers who would be able to pull it off.
But, as flawed SIMs increasingly host banking apps, the time will eventfully come when the possibility of stealing huge sums of money will be more likely, and the attackers thusly more motivated.
Unfortunately, he thinks that the companies will listen and effect changes only when a serious attack exploiting the flaws happens.