750 Million Cell Phones At Risk Of Remote Hacking Due To SIM Card Security Flaw

A security expert believes up to 750 million cell phones could be easy targets for remote hackers due to a subscriber identity module, or SIM, card security flaw. Security Research Labs discovered millions of cell phones could be exploited by a simple text message to the SIM, which could lead to a phone getting hijacked. The SIM card hack takes just two minutes.

According to Security Research Labs, 7 billion SIM cards are currently active. A SIM card is used to associate cell phone numbers with devices and other data about the user. The security experts state the cards can be updated over the air, ot OTA, while another method involves accessing the SIM card via a Java program. Although the ability to update a SIM card through Java program is not often used, it could be exploited by hackers.

The researchers tested out thousands of SIM cards to discover the security vulnerability. Security Research Labs lays out the steps needed for a remote takeover of a user’s cell phone. OTA software updates are encrypted short messenger service, SMS, messages sent from the carrier to the SIM card. The findings will be presented at the Black Hat 2013 in Las Vegas on Aug. 1.

The security threat is due to the use of an outdated encryption system. There are advanced encryption methods that SIM cards can use, but many rely on the antiquated data encryption standard, or DES. DES was first broken into in 1998,  ZDNet notes.

A hacker could send an improperly encrypted SMS message, using the custom Java program, to a SIM card, which would lead to an error message being sent from the card. The error code would have a signature the hacker could use to decrypt the security key, allowing for a properly encrypted SMS message to be sent to the SIM card. The process of creating a 56-bit DES key takes just two minutes with current computers.

Once a hacker has access to the a SIM card, new Java applets, an application with one programed function, can be downloaded to the phone, which could change a user’s voicemail password or send SMS, which could link to malware. Even more problematic than this accessibility is the possibility of the applet accessing the rest of the SIM card.

According to Security Research Labs, the Java sandbox, its security defense system, of two SIM card vendors have security holes, allowing for the applet to access other parts of the card, clone the card itself or access any personal information, including stored credit card information. Speaking to the New York Times, Karsten Nohl, founder of Security Research Labs located in Berlin, was able to send a virus to a SIM card, which let him listen in on phone calls, purchase items and steal the user’s identity. Nohl gained some fame in 2009 when he developed, and released, a program that decrypted global system for mobile communications, or GSM, conversations. GSM is the world’s most popular standard used by carriers.

“We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account,” Nohl told the New York Times.

Nearly 3 billion cell phones used daily have DES encryption, and the security flaw was found in a quarter, 750 million, of the cell phones. Most carriers have moved away from DES encryption, opting for the more secure triple-DES, or 3DES, or the even securer advanced encryption standard, or AES.

In the blog post discussing the preliminary findings, Security Research Labs laid out the steps needed to fix the flaw. The first step is using better SIM cards with the most advanced encryption system available or adding another security measure, a possible firewall in addition to the Java sandbox. Another solution to the problem is allowing access to a few known sources by the carrier.

Share this article