750 million phones could be vulnerable in massive SIM security flaw

The New York Times reports that a security researcher has found a vulnerability in the encryption used by some mobile SIM cards that could let hackers remotely take control of a phone,” Aaron Souppouris reports for The Verge. “The flaw relates to cards using DES (Data Encryption Standard) for encryption — it’s an older standard that’s being phased out by some manufacturers, but is still used by hundreds of millions of SIMs.”

“Karsten Nohl, the founder of German firm Security Research Labs, discovered that sending a fake carrier message to a phone prompted an automated response from 25 percent of DES SIMs that revealed the cards’ 56-bit security key,” Souppouris reports. “With that key in hand, Nohl was able to send a virus to the SIM with a text message. The virus allowed him to impersonate the phone’s owner, intercept text messages, and even make carrier payments.”

Souppouris reports, “DES is used in around three billion mobile SIMs worldwide, of which Nohl estimates 750 million are vulnerable to the attack.”

Read more in the full article here.

42 Comments

    1. Although I agree that some hackers are without purpose except to wreck things, many are actually very bright and useful in creating useful inventions and benefits to mankind.

      You, on the other hand, could use a civil tongue and be respectful of those who have to read your vulgar post.

  1. What do sims actually do? All a phone does is connect to a network and send and receive data of varying types. Surely a password and other user input data would suffice?

    1. http://en.wikipedia.org/wiki/Subscriber_identity_module

      A subscriber identity module or subscriber identification module (SIM) is an integrated circuit that securely stores the international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephony devices (such as mobile phones and computers)….

      A SIM card contains its unique serial number (ICCID), international mobile subscriber identity (IMSI), security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to and two passwords: a personal identification number (PIN) for ordinary use and a personal unblocking code (PUK) for PIN unlocking.

      IOW: Your phone isn’t getting onto anyone’s mobile network without a programmed SIM card.

      1. I know what a SIM does, but why can only a SIM do it? Why do we need a SIM to connect to a mobile network but we don’t need one to connect to a wifi network or any other secure service? What does a SIM do that passwords couldn’t. You can transfer your number from one SIM and/or network to another so fundamentally there is nothing on it that you definitively need to use your phone. Why can’t we have an ID number(s) and password(s) that in combination with network settings just allow us to configure our phone for whatever network(s) we want to use?

        1. Well, on CDMA networks (such as Verizon or Sprint), there is no SIM and the IMSI is stored on a built-in circuit in the phone.

          The concept of divorcing carrier-related information (phone number and the associated subscription plan) from the actual handset provides additional flexibility for the subscriber. While Americans are generally fairly oblivious to this flexibility, elsewhere in the world, it is often critical. The ability to move the SIM card from one phone to the other, without having to call the carrier every time and have them port the number from one phone to the next (with the inevitable temporary loss of service during the transition) is a very popular feature. Many people have several handsets, and they use different ones for different purposes, but prefer to keep the same number. Moving the SIM card from phone to phone makes this extremely easy (women have phones of various colours to match purses / outfits). It also work the other way; for people who travel overseas, it is critical to be able to take out their American AT&T SIM and put in the local Vodafone SIM in order to have a local number in UK, for example (making it easy for locals to reach them, without having to make an international call to America). On Verizon or Sprint, this is simply impossible — your phone number (and the associated plan) is locked to one single phone, and you just can’t switch phones without a complicated song-and-dance with your carrier. Since there is no SIM card, you can’t take that Sprint phone overseas and use a local SIM card (unless the phone is a “world phone”, with an additional SIM card for global roaming). To someone used to the flexibility of SIM, this is simply baffling.

          1. That still doesn’t explain why we need a SIM rather than entering in some sort of login data to connect to the appropriate network and identify what your number is. You could have multiple profiles akin to multiple sims and just switch between them as you see fit. Why are phone networks fundamentally different than any other communication service? I have a voip phone in my office and I can just unplug it an plug it into the internet wherever I am and it will work I don’t need a SIM for it. If I want to change providers (assuming they support the physical device and protocol) I just switch my accounts. A sim may save having to know all the applicable information, but on that basis why do we use passwords for other things, things we would arguably want to be more secure? Since you’d have to have both phones with you to physically switch the SIM from one to the other, it would hardly be more inconvenient to “log out” on one, then log in to the other.

            1. We need a SIM because there is no comparable alternative technological solution today. Some may remember the noise from a few years ago that Apple was purportedly advocating for a development of a “virtual SIM” solution, which looks very much like what you are describing. Whether this initiative still exits (or it ever even existed), no movement has been made to that effect. We still have wireless carriers binding the customer account to the physical SIM and having the customer put that SIM into the phone of their choice, with no obvious chance of the technology ever moving towards some virtual solution.

              So, for now, it is still better to have a phone with a SIM, than to have one on CDMA, which is directly bound to the operator.

        2. I indicated what SIMs do that a simple password does not. Theoretically it could all be typed into a phone, or transferred over the net into a phone. If that was the case, the phone would have to have a hard coded ID that can be verified over the net to fit a specific account.

          1. It may do more than a simple password, but that doesn’t explain why it has to be a physical solution. Wifi is essentially the same as a phone signal in that it is wireless and sends and receives data but a SIM isn’t needed for that. Mobile networks maybe more secure, but that shouldn’t rule out a digital solution it should just mean higher security would need to be applied. You can mimic everything a mobile phone gives you using other services, all of which are digital and don’t require SIMs to connect to. It just seems such an antiquated way of working, primarily to allow mobile providers to retain control over customers.

            1. I think you’re right. The SIM is considered convenient because it can be removed from one phone and transferred to another, carrying the phone account and data with it. Theoretically, you could just pick up a different phone, verify your identity and have the same data downloaded to the new phone. You could even have several phones connected to the exact same account.

              As I say, each phone would have to be identifiable by a hard coded ID, like a MAC address, if not simply a MAC address. That way no extraneous phone could be hacked into your account.

              I don’t know anything at all about the genesis and history of the SIM. I’m betting that its history has something to do with why we still use them. Time for me to do some homework.

      1. Affect and effect are both verbs and nouns, although the former is commmonly used as a verb and the latter as a noun.

        Affect means emotional response, something that is observed in psychiatry and neuroscience

    1. Spell-check, or buy a dictionary. Reflects poorly on your attention to detail from third grade on. If you can’t master the most common and widely used mistake-prone phrases, your license to criticize another simply does not exist. So, who’s the idiot?…

  2. Holy Crack, Batman!

    AES was adopted replacing DES in 2001; reference code was part of the spec. Why on earth have these turkeys continued to use DES in production SIMs? Lazy? Or just stupid?

  3. As much as I want Samf*ck got punished for what they did to Apple (such as send Samf*ck CEO and all responsible Exec to Camp22), litigation just become a constant distraction to Apple. I truly believe that hundred of million of Apple’s hard earned cash can be better utilized than paying attorneys.

    1. There certainly are conflicting points of view on the subject. But if one is creative and has the ability (aka cash) to defend one’s creations, then IMHO it pays off to defend those creations. Otherwise, the lazy plagiarists specifically target you again, believing you to be ‘an easy mark’.

      Therefore, despite all the ranting about Apple lawsuits being detrimental to Apple, if Apple were instead perceived as rolling over every time some parasite wanted its tech, the public perception of Apple would, IMHO, be FAR worse.

      Here in the USA, the old concept is embodied in the phrase: “Don’t Tread On Me!’

      1. I should also point out that HACKING bad technology, currently called ‘White Hat’ hacking, is preferable to CRACKING, currently called ‘Black Hat’ hacking.

        White Hats will let the people using the bad technology know the problem before it becomes public. Such hackers are a BENEFIT to the tech community. Don’t knock them! The fact that its annoying when bad tech is discovered must not deter them from hacking. Thank them, hire them, benefit them. Have them HELP you FIX your bad tech.

        What sucks bad is when a Black Hat discovers the bad tech and puts it to work in exploits, abusing those with the bad tech. That you never want. Black Hats need to be gunned down at sunrise. Then after doing so, you FIX your bad tech.

        http://www.techopedia.com/definition/26342/black-hat-hacker

  4. I suppose it’s good and bad.

    Bad: They spend all their time finding ways to hack and exploit vulnerabilities.

    Good: Vulnerabilities are exposed and fixed.

  5. Some background information:

    DES:
    http://en.wikipedia.org/wiki/Data_Encryption_Standard

    AES, the modern alternative, as used in ALL Apple iOS devices with mobile capability, one reason the NSA gets ticked off at Apple, poor babies:
    http://www.complex.com/tech/2012/08/the-nsa-cant-crack-the-iphones-encryption

    At the heart of Apple’s security architecture is the Advanced Encryption Standard algorithm (AES), a data-scrambling system published in 1998 and adopted as a U.S. government standard in 2001. After more than a decade of exhaustive analysis, AES is widely regarded as unbreakable. The algorithm is so strong that no computer imaginable for the foreseeable future-even a quantum computer-would be able to crack a truly random 256-bit AES key. The National Security Agency has approved AES-256 for storing top-secret data….

    Also helpful is the fact that each iPhone’s AES key is not recorded by Apple or any of its suppliers. And if someone does attempt to crack your iPhone, the key is erased and reset after 10 failed attempts.

    IOW: NO, iPhones and other iOS mobile access devices are NOT affected.

    1. I gave a talk about an anomaly in the AES key structure a few years ago. The first person to request a copy of my work was from the NSA. Are you sure they can’t crack it? 🙂

      1. I certainly am NOT certain AES didn’t have a backdoor from day one. But I know nothing about the genesis and evolution of AES, so I plead ignorance.

        It would be fun to use an open source encryption method that never had anything to do with the feds.

        Reminder: TOR started out as a Navy sponsored project. Therefore…

  6. The SIM card is provided by the network, not the manufacturer, so it’s the responsibility of your service provider.

    As this problem appears to only affect certain older types of SIMs, it seems reasonable to assume that as iPhone 5 uses nanoSIMs it should be immune, unless the user cut down an older type of SIM which happened to be vulnerable. The integrity of older iPhones will be dependent on whatever type of SIMs your service provider supplied.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.