With the NSA leaks going
full force it probably won't sound like news at all that a German cryptographer
claims to have hacked a SIM card. But that's never been done before (as far as
we know . . .) so it's kind of a big deal, and shows that millions of phones
are potentially vulnerable.
The
founder of Security Research Labs in Berlin, Karsten Nohl, studied the
encryption methods in thousands of SIM cards to figure out how a hacker could
find the card's unique 56-digit access key. The vulnerability he discovered
could impact as many as 750 million phones and would open them to call
surveillance, fraudulent purchases and even a type of identity theft. Nohl told Forbes:
Give me any phone
number and there is some chance I will, a few minutes later, be able to remotely
control this SIM card and even make a copy of it.
In
addition to compromising access keys, Nohl discovered a flaw in the
"sandboxing" technique that keeps sensitive data separate on SIM
cards. By sending a binary SMS to a number of phones, he can collect data that
eventually allow him to break through the encryption on some of the phones.
Each vulnerability Nohl identified only applies to certain SIM cards, but in
the wrong hands they could endanger a large percentage of the SIM cards in use
right now.
The vulnerability would allow attackers to send spoofed text
messages to obtain the 56-bit data encryption standard (DES) key used by the
targeted phone's SIM cardWith the key in hand, attackers would be able
to install malicious software and perform other nefarious operations on the
device.Though Nohl isn't officially presenting his
findings until the Black Hat security conference in Las Vegas on July 30, he
did share them with the GSM Association. A spokeswoman, Claire Cranton,
told the New York Times:
Description of Attack
Carriers can send text messages for billing purposes and to confirm mobile transactions. Devices rely on digital signatures to verify the carrier is the one sending the message. Nohl sent out fake messages pretending to be from the mobile carrier containing a false signature. In three-quarters of messages sent to mobile phones using DES, the handset correctly flagged the fake signature and terminated the communication. However, in a quarter of cases, the handset sent an error message back and icluded its encrypted digital signature. Nohl was able to derive the SIM's digital key from that signature, Forbes reported.
Carriers can send text messages for billing purposes and to confirm mobile transactions. Devices rely on digital signatures to verify the carrier is the one sending the message. Nohl sent out fake messages pretending to be from the mobile carrier containing a false signature. In three-quarters of messages sent to mobile phones using DES, the handset correctly flagged the fake signature and terminated the communication. However, in a quarter of cases, the handset sent an error message back and icluded its encrypted digital signature. Nohl was able to derive the SIM's digital key from that signature, Forbes reported.
"Different shipments of SIM cards either
have [the bug] or not," Nohl told Forbes. "It's very random," he
said.
With the SIM key in hand, Nohl could send
another text message to install software on the targeted phone to perform a
wide range of malicious activities, including sending out text messages to
premium-rate numbers, eavesdropping on calls, re-directing incoming calls to
other numbers, or even carry out payment system fraud, according to Forbes.
Nohl claimed the attack itself took him only a few minutes to carry out from a
PC.
"We can spy on you. We know your
encryption keys for calls. We can read your SMSs. More than just spying, we can
steal data from the SIM card, your mobile identity, and charge to your
account," Nohl told the New York Times.
We have been able
to consider the implications and provide guidance to those network operators
and SIM vendors that may be impacted.
Nohl says that cards which are affected vary by
country and carrier - since encryption standards vary between countries.
According to his estimates about an eighth of the world's SIM cards could be
affected, or about half a billion devices.
This marks the first
time SIM cards have been compromised, as until now it was thought that SIM
cards were unhackable. The Data Encryption Standards (DES) security encryption
developed back in the 70's has finally been cracked, though.
The four major
German carriers, as well Verizon and AT&T in the US have since commented
that their SIM cards are not vulnerable. AT&T has even said that it had
moved on to triple DES (3DES) almost 10 years ago.
Nohl claims that
the dated security standard and badly implemented Java Card code could allow
him to compromise the encryption keys of certain SIM cards in less than a
minute. He has since shared his findings to various carriers and the GSMA in an
effort to help close the exploit before it becomes widespread amongst
cybercriminals.
Nohl is expected
to share his findings at the Black Hat security convention in Las Vegas on July
31.
Definitely sounds like they're on it, and
totally trust enormous mobile providers like AT&T and Verizon to act
quickly and nimbly in resolving this issue.
No comments:
Post a Comment