750 million phones could be vulnerable in massive SIM security flaw

4.6
The New York Times reports that a security researcher has found a vulnerability in the encryption used by some mobile SIM cards that could let hackers remotely take control of a phone. The flaw relates to cards using DES (Data Encryption Standard) for encryption — it's an older standard that's being phased out by some manufacturers, but is still used by hundreds of millions of SIMs.

Karsten Nohl, the founder of German firm Security Research Labs, discovered that sending a fake carrier message to a phone prompted an automated response from 25 percent of DES SIMs that revealed the cards' 56-bit security key. With that key in hand, Nohl was able to send a virus to the SIM with a text message. The virus allowed him to impersonate the phone's owner, intercept text messages, and even make carrier payments. The New York Times cites Nohl as claiming that the entire operation takes "about two minutes" using a regular PC.

Over the past two years, Nohl has tested his method on around 1,000 cards across North America and Europe. DES is used in around three billion mobile SIMs worldwide, of which Nohl estimates 750 million are vulnerable to the attack. Many carriers use SIMs with the stronger triple-DES encryption method, which are not susceptible to Nohl's method, and DES in general has been phased out in favor of AES (Advanced Encryption Standard).

The flaw has been disclosed to the GSMA, an association made up of mobile operators and other companies in the field that oversees the deployment of GSM networks. The GSMA has informed SIM manufacturers and other companies involved of the situation, who are all analyzing how to best deal with the flaw. With the "responsible disclosure" taken care of, Nohl will detail his attack method at the Black Hat security conference on August 1st. He also plans to publish a "comparative list" detailing the SIM card security of each mobile carrier in December. Hopefully by then the at-risk operators will have taken the necessary steps to neutralize the vulnerability.

Posted:
Related Forum: PC General Forum

Source: http://www.theverge.com/2013/7/21/4542782/sim-card-des-security-flaw-security-research-labs

Comments

"750 million phones could be vulnerable in massive SIM security flaw" :: Login/Create an Account :: 65 comments

If you would like to post a comment please signin to your account or register for an account.

MykhalPosted:

thats just wow that sucks

UG_UnknownPosted:

Why does something always have to be happening!?

SystematicsPosted:

The NSA loophole for spying?

PlusnetPosted:

Cokes
ExoticWolfs Damn, 750 million. :/ I hope I am not one of the 750 million.


Chances are you probably are!


That's a good way to look at it.

LuckyOtterPosted:

DLT
Graqhic WTF that like 1 in 10 people or 1 in 9 people will be vulnerable to this


Yeah but I doubt many people actually know the vulnerability and it's probably a very low chance of actually being targeted.


That sounds like something someone would say the day before all the phones are hacked. Anyway your right I doubt anything will happen and this is just another tech scare that we have every couple of months.

iBulletPosted:

Sounds like real life Watch Dogs type of stuff.

DLTPosted:

Graqhic WTF that like 1 in 10 people or 1 in 9 people will be vulnerable to this


Yeah but I doubt many people actually know the vulnerability and it's probably a very low chance of actually being targeted.

AspersPosted:

WTF that like 1 in 10 people or 1 in 9 people will be vulnerable to this

Trans_AmPosted:

This cannot be good. I hope this isn't just a scare or somthing

CokesPosted:

ExoticWolfs Damn, 750 million. :/ I hope I am not one of the 750 million.


Chances are you probably are!