A security researcher who once revealed that GSM networks are no longer secure has made headlines again. This time, Karsten Nohl, a German cryptographer and founder of Berlin’s Security Research Labs claims that a flaw in the encryption technology used by some SIM cards in mobile devices can be exploited to take control of the device or remotely clone the SIM.
A Subscriber Identity Module (SIM) is a small portable chip used in mobile phones that operate on the GSM, 3G and 4G network. A SIM card contains its unique serial number (ICCID), international mobile subscriber identity (IMSI), security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to and two passwords: a personal identification number (PIN) for ordinary use and a personal unblocking code (PUK) for PIN unlocking.
Nohl, who will be presenting his findings at the Black Hat security conference in Las Vegas(US) on July 31, says this is the first hack of its kind in a decade, and comes after he and his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden, spoofed text messages to obtain the 56-bit data encryption standard (DES) key used by the targeted phone’s SIM card. DES guidelines was developed in the 1970s.
Ultimately this would then give the attacker the ability to control the mobile phone, from having the phone send premium SMSes to recording telephone conversations. While some seven billion SIM cards are in use today, Nohl estimated that roughly 500 million mobile devices worldwide would currently be vulnerable to this type of attack.
“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl told Forbes.
All types of phones are vulnerable, including Apple iPhones, phones that run Google’s Android software and BlackBerry smartphones, he said.
The U.N.’s Geneva-based International Telecommunications Union, which has reviewed the research, described it as “hugely significant.”
“These findings show us where we could be heading in terms of cybersecurity risks,” ITU Secretary General Hamadoun Touré told Reuters.
He said the agency would notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat and also reach out to hundreds of mobile companies, academics and other industry experts.
A spokeswoman for the GSMA, which represents nearly 800 mobile operators worldwide, said it also reviewed the research.
“We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted,” said GSMA spokeswoman Claire Cranton.
Nicole Smith, a spokeswoman for Gemalto NV, the world’s biggest maker of SIM cards, said her company supported GSMA’s response.
“Our policy is to refrain from commenting on details relating to our customers’ operations,” she said.
In Malaysia, MalaysianWireless believes that one or two of the mobile operators may be still using the older SIM encryption. Maxis however is believed to be using the newer 3DES SIM encryption. MalaysianWireless has reached out to the rest of the operators for a comment.
Nohl told Forbes that the Telecoms industry should use better filtering technology to block spoofed messages and phase out SIM cards using the old DES. Consumers using SIM cards more than three years old should request new cards (likely using triple-DES or 3DES) from their mobile operators, Nohl recommended.
