Sim cards hacked: A single text that unlocks millions of mobiles
New vulnerability identified by mobile security experts blamed on 1970s encryption standards
Millions of mobile phones could be at risk from hackers according to new research identifying vulnerabilities in the encryption used by Sim cards. Just by sending a specially designed text, security analysts were able to remotely download malware onto handsets.
Although often thought of as just providing a mobile phone’s number, Sim cards (it stands for subscriber identity module) often store users personal data and are the mark by which carriers authenticate individual users.
“With over seven billion cards in active use, Sims may well be the most widely used security token in the world,” says German security expert Karsten Nohl, the individual responsible for uncovering the flaw.
“The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets.”
Nohl’s research covered the different systems of encryption used to secure Sim cards, with one particular standard named DES (Data Encryption Standard) identified as particularly insecure.
Dating back to the 1970s DES has long been considered insecure, with Nohl’s method allowing the encryption to be cracked “within two minutes on a standard computer”.
By sending a text containing a specially designed binary code Nohl was able to trick phones into authenticating him as their network provider.
Once this protocol had been established Nohl could then remotely download software onto the phone allowing him to send texts, access voicemail and even receive reports on the phone’s physical location.
“These capabilities alone provide plenty of potential for abuse,” said Nohl. “This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card.”
Speaking to the BBC Nohl suggested that about one in eight of all Sim cards are vulnerable to the hack, and that Africa-based users were particularly at risk. He did, however, say that network operators would be quick to secure their software.
Nohl will give full details of his method at a Black Hat security conference on July 31st but has already provided industry body GSMA with all of his research.
"Karsten's early disclosure to the GSMA has given us an opportunity for preliminary analysis,” said a GSMA spokeswoman. "It would appear that a minority of Sims produced against older standards could be vulnerable."
"There is no evidence to suggest that today's more secure Sims, which are used to support a range of advanced services, will be affected".
Life & Style blogs
iPhone 6S price: new handset to remain as expensive, Apple unlikely to increase phones' storage
A daily walk 'can add seven years to your life'
Pansexual: What is it - and when did the term gain popularity?
Every hospital patient will be given a barcode as part of plan to create a 'paper free' NHS
What do the emojis on Snapchat mean?
Climate change: 2015 will be the hottest year on record 'by a mile', experts say
Jeremy Corbyn calls Osama bin Laden's killing a 'tragedy' - but was it taken out of context?
Tony Blair attacks Jeremy Corbyn's 'Alice In Wonderland' politics
Theresa May says migrants should be banned from entering the UK unless they have jobs lined up
Iain Duncan Smith 'should resign over disability benefit death figures', says Jeremy Corbyn
UN investigating British Government over human rights abuses caused by IDS welfare reforms
- 1 If you're not already angry about the migrant crisis, here's a history lesson to remind you why you really should be
- 2 David De Gea: Manchester United goalkeeper's £29m move to Real Madrid off - because paperwork 'not done in time'
- 3 Pansexual: What is it - and when did the term gain popularity?
- 4 Netherlands to withdraw food and shelter from failed asylum-seekers after just 'a few weeks'
- 5 Blood Moon and Supermoon: September to bring brightest – and dimmest – full Moon of the year on same night
iJobs Gadgets & Tech
£30000 per annum: Recruitment Genius: They are a small IT consultancy business...
£30 - 38k (DOE): Guru Careers: We are seeking a digitally focussed Account Man...
£24000 - £30000 per annum: Recruitment Genius: This exciting and disruptive co...
£23000 - £28000 per annum: Recruitment Genius: Due to expansion, this digital ...