Hacker: Sim card flaws leave ‘hundreds of millions of phones’ vulnerable to attack

Posted on Friday, 2nd August 2013 @ 11:51 AM by Text Size A | A | A

Spread the love

Software vulnerabilities expose phones to hijacking and manipulation of calls, eavesdropping and identity theft

If you thought government analysts intercepting your phone’s metadata was bad, here is something potentially more frightening: cyber crooks hijacking your phone to eavesdrop, impersonate you and ransack your accounts.

A German cryptographer says he has discovered encryption and software flaws in hundreds of millions of phones, leaving them vulnerable to attack.Karsten Nohl revealed his findings fully and publicly for the first time at the Black Hat conference of hackers in Las Vegas on Wednesday, startling peers who had considered sim cards to be relatively safe technology.

Nohl, 31, a respected hacker and specialist on phone security, said the vulnerability allowed outsiders to obtain a sim card’s digital key, a 56-digit sequence that exposes the chip to manipulation.

“What this means is that your sim card can work against you. The hacker can redirect calls, rewrite numbers, listen in on calls.” A criminal hacker, using an ordinary computer, could also commit payment fraud remotely controlling your phone.

Nohl’s team at Security Research Labs in Berlin experimented on more than 1,000 sim cards during a two-year investigation.

“The hacker starts by sending a text message to the sim card that the user doesn’t even get to see, and the sim card in some cases responds with data that can be run through with cryptanalysis. The resulting cryptographic key allows the hacker to send well-signed Java software to the sim card. And then do all kinds of stuff.”

The technique went beyond sim cloning, a well-known practice based on breaking the authentication algorithms of old cards, he told the Guardian before his presentation. “This time we break underneath the authentication algorithm pretty much everything that was stored in the card.”

The bug was rooted in a four-decade-old coding method known as data encryption standard (DES), which is used in about half the world’s 6bn mobile phones. Many now use an upgraded method known as Triple DES but those that used the old version were vulnerable, he said.

Nohl has estimated that more than 500m GSM devices were affected. He notified the London-based GSM Association earlier this year to give manufacturers and operators time to start plugging the encryption hole before demonstrating his findings at Black Hat, an annual gathering of cyber security professionals.

Some companies had responded “extremely fast” and begun patching the vulnerability, said Nohl. He believed even the slower ones would have sufficient headstart on criminals, who would need at least six months to exploit the knowledge he shared this week.

The industry had an incentive to be proactive because the bug would let criminals siphon revenue directly, he said. Several manufacturers and operators confirmed to the New York Times and Forbes that they were investigating Nohl’s findings and were confident modern sim cards were secure.

Related News On HuffPo Club www.hpub.org:

  • David Gerard is a Bitcoin Fraud

    Spread the love
    Spread the loveI am calling out so-called bitcoin expert ??? David Gerard for the fraud that he is. . All he does is trash bitcoin, trash ethereum and trash any other blockchain idea on wikipedia,…

  • Last Call to be the World Leader in Outer Space. by Daniel Bruno

    Spread the love
    Spread the loveLast Call to be World Leader First posted: 03/18/2010 at Huffpo “Where is that moon, that leads to your soul?” – Aromabar     Legend has it that Kaguya descended from a race…

  • Electoral Science: The Winner of the 2016 Election Will be a Republican

    Spread the love
    Spread the loveOriginally published at Washington’s Blog in April, 2016   by Daniel Bruno   Electoral Science: The Winner of the 2016 Election Will be a Republican I was the first person in the world…

  • Report from Rio

    Spread the love
    Spread the loveReport from Rio Daniel “No Passport” Bruno, reporting from Rio de Janeiro. Daniel is from Manhattan, is an author, inventor, specialist in 9/11 studies, and the interview host at www.hpub.org which publishes over…

Disqus Comments

Specify a Disqus shortname at Social Comments options page in admin panel

Facebook Comments

G+ Comments

Default Comments

  • Hpub asks

    • Sorry, there are no polls available at the moment.