One of the most ubiquitous pieces of cell phone hardware, the SIM card, is vulnerable to a hack attack that could put millions at risk for theft and being spied on. Hackers could carry out this attack "within two minutes on a standard computer."
SIM cards are so common for cell phones and smartphones that you probably don't even think about it after you've bought a new phone and installed it. It's the little plastic chip, called a "subscriber identity module," that authenticates your phone to the network and gives you access to wireless communication and data. They can also store text messages, payment credentials, and some phone contacts.
These cards have been in use since the 90s, and now a security firm has found that they can be cracked in a matter of minutes with a regular computer, a couple of text messages, and knowhow. The hack could leave millions at risk of having their payment information, mobile identities, contacts, and other information stolen, as well as being tracked and their supposedly encrypted phone calls listened in on.
Hacking the SIM card takes just a few steps. First, a bogus binary text message - pretending to be the network operator - is sent to the phone. Often, in reply to the improperly authenticated message, the SIM card will respond in binary text with an error code that carries its own cryptographic signature. According to Security Research Labs' preliminary blog post on the subject, a key can be made from that signature that can crack the SIM's security authentication code. And the key can be made within two minutes on a standard computer. And all of this can be done remotely.
That key allows a hacker to send the correctly authenticated text message, pretending to be the network operator, to the phone, and the SIM will do what it says. Then all hell breaks loose. Through binary text message, the phone can be instructed to download all sorts of little programs, thinking it's from the wireless provider. Such programs, or applets, "are allowed to send SMS [text messages], change voicemail numbers, and query the phone location, among many other predefined functions," says the security firm.
On top of the predefined network functions in some cases, an applet "can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity... as well as payment credentials stored on the card," according to SR Labs.
About 1 out of every 8 SIM cards is vulnerable to this attack, meaning somewhere between 500 million to 750 million phones could be affected, according to the BBC. While many in the U.S. and Europe still use SIM cards, this hack could be especially harmful to phone users in Africa, according to Karsten Nohl of the Berlin-based Security Research Labs. "Here in Europe we use a SIM card to make phone calls and texts, but many people in Africa also use them for mobile banking," said Nohl. "Someone can steal their entire bank account by copying their SIM card."
The majority of wireless carriers in Latin America use GSM networks, which use SIM cards to authenticate mobile phones. With 84 percent of Latin Americans using either prepaid or subscription cell phone service for functions ranging from basic communication all the way up to banking, according to a recent World Bank report, the newly found SIM card vulnerability could pose a risk to millions of Latin Americans as well.
The security vulnerability is serious enough that the United Nations' agency on telecommunications, the International Telecommunications Union, is issuing notifications to companies, regulators, government agencies, academics, and industry experts in nearly 200 countries about the potential threat, described as "hugely significant." "These findings show us where we could be heading in terms of cybersecurity risks," ITU Secretary General Hamadoun Touré told Reuters.
The GSMA, the association of mobile operators representing almost 800 network operators across the globe, said it has looked at the problem as well. "We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," said GSMA spokesperson Clair Cranton.
The hack depends on a signature key using a DES encryption standard, an old encryption standard that was developed in the early 1970s and has been largely phased out but is still in use in many developing countries. Phones with the newer encryption standards, like AT&T's, which use Triple DES, as well as devices on CDMA networks that don't use SIM cards are not vulnerable to the attack.
More details are expected to emerge at the Black Hat cyber security conference in Las Vegas at the end of this month.