750 Million Phones Vulnerable To Hacking Due To SIM Card Flaw

Up to 750 million mobile phones around the world carry SIM cards that contain a programming flaw that could leave their owners vulnerable to fraud. The bug allows a hacker to remotely access personal data and authorise illegal transactions within minutes. 

The flaw in question is found in SIM cards using DES (Data Encryption Standard) for encryption, which is an older standard that is slowly being phased out by most manufacturers, but the point is that it is still baked into hundreds of millions of SIMs across the world. The founder of German firm, Security Research Labs, Karsten Nohl, found that sending a fake carrier message to a phone prompted an automated response from 25% of DES-based SIMs, which revealed the cards’ 56-bit security key.

Once the sequence key is obtained hackers will be able to send a virus to the SIM card. This will allow eavesdropping on calls or allow mobile purchases with payments charged directly to the mobile account. 

Nohl added that “We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”

Nohl says his team had been unsuccessfully attempting to breach SIM cards since 2011, using over-the-air-programming (OTA) – unseen text messages that are sent by the mobile phone operator to change settings on the phone of a user within their network.

Mr. Nohl is a well known figure in the security industry. In 2009, he has published a software that can easily decode the 64-bit key needed to encrypt GSM-based conversations. This has caused the industry to scramble for a better safeguarding strategy. His Germany-located company, Security Research Labs, acts as advisor to multinational companies around Germany and the U.S on any issues involving mobile security.

[Via]