“If your identity has been stolen, your phone may have been an accomplice to the crime.” Pretty scary statement, isn’t it?
But this is a claim made by a German mobile security expert after he found a “flaw in the encryption technology used in some SIM cards, the chips in handsets, that could enable cyber criminals to take control of a person’s phone.”
Founder of Security Research Labs in Berlin, Karsten Nohl, alleged that the encryption hole allowed people to get a hold of a SIM card’s digital key, a 56-digit sequence that allows for the chip to be modified. When he had that key, he was able to send a virus to the SIM card through a text message, which allowed him to eavesdrop on a caller, he was able to make purchases via mobile payment systems and he could even pretend to be the phone’s owner.
All you need to do this is a personal computer? Unbelievably, there are as many as 750 million phones who are susceptible to these attacks.
He says they can remotely install software on a handset that operates completely separately from your phone, they can spy on you, they know your encryption keys for calls, they can access your SMS’s, and even more alarmingly is the fact that they can steal data from the SIM card, your mobile identity and charge this to your account.
Mr Nohl is well-known in the security circles, in 2009 he published a software tool that computes the 64-bit key used to encrypt conversations on GSM networks, compelling the industry to improve their security. It is thus no wonder that his company advises both German and US multinational companies on mobile security issues.
The defect that he discovered was the result of an encryption method that was developed in the 1970s called data encryption standard aka as D.E.S. Once he discovered the breach, he investigated the prevalence of the problem by testing 1000 SIM cards on cellphones on various networks in Europe and North America over a two-year period. The phones and SIM cards were his property as well as that of his research team. He said that about a quarter of the SIM cards running the older encryption technology exhibited the vulnerability.
Currently D.E.S. encryption is used on about half of the approximately six billion cellphone in use daily. However, over the last decade most operators have adopted a more stringent encryption method know as Triple D.E.S. but many SIM cards are still running the old standard. “The encryption is used to disguise the SIM card, and thus a mobile phone’s unique digital signature”.
He has done a “responsible disclosure” to the GSM Association, the body that represents the mobile industry. He will also present his findings at the Black Hat conference, a computer hackers’ gathering on 1 August.
Claire Cranton spokesperson for GSM said that these findings were passed on to the operators and makers of SIM cards who still relied on the older encryption standard. She intimated that it was “likely only a minority of phones using the older standard that ‘could be vulnerable’”. She declined to comment on Mr Nohl’s figure of 750 million vulnerable phones.
Two SIM card manufacturers Gemalto and Giesecke & Devrient said that GSM has been in touch with them with regards to the findings and that they are now investigating on their side.
Mr Nohl said that he had advised the GSM Association and chip makers to employ better filtering technology to eliminate the weakness and to phase out SIM cards using D.E.S. and to move to newer standards. He advised further that consumers who are using SIM cards older than three years should upgrade their cards with their operators.
Giesecke & Devrient said they already began phasing out SIM cards using D.E.S. in 2008.
All this being said, Mr Nohl advised that he will not be revealing the identities of those implicated in this flaw at the August conference but said that he “planned to publish a comparative list of SIM card security by operator in December at a conference in Hamburg”.