Encryption Bug in SIM card could affect 750 million phones

DSC00568 All of us are aware about hacking and its ill-effects on our privacy, data security and most importantly the device itself. We also try to take stringent measures like using Anti-virus, Anti-malware, and such softwares to make sure our computers or smartphones are not affected. But, if we think only such physical devices can get affected then we’re totally wrong. According to a research by German firm Berlin’s Security Research Labs, the tiny SIM card residing inside your phone can be hacked as well, that too within a minute. It’s founder and Chief Security Officer Karsten Nohl studied encryption methods in thousands of SIM cards running on telecom networks of USA and Europe over a period of two years and detected a vulnerability which can be accessed remotely. His claims were confirmed by International Telecom Union, an UN group as well GSM Association. In his interview with Forbes, he stated:
Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it.

How this bug works?

Telecom carriers send messages to mobiles for purposes of billing or confirming mobile transactions. The devices verify these carrier messages with the help of digital signatures. Nohl sent out fake messages simulating as a telecom carrier with fake digital signature. In most of the cases (75% times), the device was able to detect fake signatures using 56-bit Data Encryption Standards (D.E.S.) and hence terminated the communication. However, in rest of the cases, the mobile phone replied with an error message containing its encrypted digital signature. From the digital signature, Nohl was easily able to find the SIM’s digital key. After getting the digital key, the second step of the hack requires sending another message to the mobile phone to install software which can be able to perform various malicious activities.

What this bug can do?

The software now installed on the phone can do numerous things such as sending text messages to premium numbers, re-directing incoming calls to other numbers, and even eavesdropping on calls. The software can carry out payment system fraud as well if the SIM card is used for saving bank account details or for doing transactions. In short, the hackers can do almost anything which you can do from your phone remotely. Moreover, all smartphone Operating Systems- Android, iOS, Blackberry are equally affected by this bug. Although, since the bug allows access to data stored on SIM card, so any payment apps which store data outside the SIM card are safe. It must be noted that the vulnerability was found out in SIM cards using DES encryption method which was developed in 1970s and is still used in about half of the approximately 6 billion phones in use daily. This means that around 750 million phones are prone to such hacking attack.

Possible Solution

Mr. Nohl also stated that the phones are randomly able to flag the fake digital signatures and thus there can’t be any set method to determine which are phones are actually vulnerable. Also, newer SIM cards which have adopted stronger encryption method called Triple D.E.S. are safe from this hacking. He has discussed his learning’s with GSMA and SIM card makers and also suggested them to use better filtering technology to detect the kind of messages he had sent. Even consumers using SIM cards more than three years old should get their SIM card replaced from their respective carrier. Karsten Nohl will present his study and more details about the vulnerability at Blackhat Conference in Las Vegas, USA on July 31st. Source: Forbes, NYTimes
Facebook Comments
Previous articleSamsung Galaxy S4 Zoom available to pre-order in India at Samsung Online Store
Next articleSony Xperia Z Ultra launching in India on July 31
One of the earliest members of the 91mobiles' editorial team, Nitansh is a walking encyclopaedia of product specs. Name a phone and he’ll tell you the specifics on screen resolution, processor and camera without blinking an eyelid. Ask him if he remembers the launch date of a noteworthy phone, and he'll tell you the dates when the device first leaked, its global unveil, its Indian launch, and when it got a significant update. He’s a lover of all things Android, and loves writing reviews and scouting for new apps. A Wordpress whiz, he’s always ready to help out a fellow writer. While he juggles between many things at 91mobiles, he always manages to find time to write. In his non-tech avatar, Nitansh is a philatelist, which is a fancy word for stamp-collector.