SIM card flaw could make 500 million users vulnerable

Berlin’s security research labs with experiments carried out with selected SIM cards have estimated that about 500 million users of mobile phones are at risk due to a flaw that was discovered in the SIM cards.

This flaw could allow hackers to access a SIM card and perform activities a mobile phone user would perform normally. Calls could be made from the mobile phone, contacts list will be available, and text messages could be sent. Applications on the SIM that performs transactions could also be accessed which would show all details of transactions of the user.

Transactions can also be made from these apps even without the knowledge of the mobile phone user. Paypal details if stored on the SIM will also be available to the hackers. SIM cards have widely been known to be the safest haven of information on a mobile phone but this new development has shown that even the secured SIM cards can still have a security breach.

Security researcher Karsten Nohl and his team tested 1000 SIM cards and found about 250 of them to be vulnerable. He stated that all SIM cards found vulnerable were DES (Data Encryption Standards) SIM cards. He attributed this flaw to wrongly configured Java Card software and weak encryption keys.

“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” he said. “We had almost given up on the idea of breaking the most widely deployed use of standard cryptography but it felt great to finally gain control of a SIM after many months of unsuccessful testing.” He continued.

The Java Card he said is responsible for keeping the SIM card safe and organized. It isolates each application on the SIM card and ensure that virus on an app does not affect other apps on the SIM card through a process called sandboxing.

The experiments however showed that apps on a compromised SIM card could be given commands that should not be possible normally. For instance, a 12th item could be required from a list of ten items. This would cause the SIM card to misbehave.

Some carriers have moved on from the DES to safer encryptions but some carriers are still using till date. There are predictions that many African countries could be affected because of the common mobile payment means. It was also noted by Nohl that the distribution of affected users will not likely be even as some parts of the world will be affected more than others.

He blamed this development on the two major SIM card producers Gemalto and Oberthur Technologies. He further explains that users are still safe for now as it will take hackers about six months to exploit this vulnerability, a time carriers should have provided adequate protection for their SIM cards. He is expected to explain more of the details at the Black Hat security conference in July later this month.

Posted in Smartphones, Telecoms