Outdated crytpography and a poorly implemented sandboxing feature on many SIM cards could enable attackers to gain root access, according to German security researcher and cryptography expert Karsten Nohl. As a result, several hundred million phones could be exposed to hackers eavesdropping on calls, sending premium text messages or even carrying out payment fraud, Forbes reported. Nohl will present his full findings at the upcoming Black Hat security conference in Las Vegas.
According to Nohl, SIM card software security claims are often predicated on the fact that they have never been exploited. However, due to the use of outdated 56-bit DES encryption on many cards, the right attack method can enable a range of malicious activity. With the right combination of flaws, it’s possible to get root access of the SIM card, Nohl explained.
“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” he told Forbes.
How attackers can listen in
Nohl’s team carried out an attack that involves sending an unsigned snippet of binary code to a device using a SIM card with DES encryption, ComputerWorld reported. In some cases, the SIM card sends back an error code that carries an encrypted 56-bit private key. This key can be easily cracked using a regular computer – Nohl’s firm, Security Research Labs, did it in less than two minutes. Armed with the decrypted private key, an attacker can sign software updates to the device, forcing it to download Java applets that could send SMS messages, listen to voicemails, access phone location information or even eavesdrop on calls.
“Anybody who learns the key of a particular SIM can load any application on the SIM he wants, including malicious code,” Jasper Van Woudenberg, North American CTO of security firm Riscure, told Forbes.
Additionally, some SIM cards also contain a sandboxing flaw that could allow a virus to check the files of other applications installed on the card, including payment applications, Nohl told Forbes. By giving infected software a command it can’t process, the software will skip security checks and grant root access. By combining the two flaws, an attacker can therefore carry out payment fraud. The risk of such an attack is particularly high in many African countries, where SIM-card payments are common, Forbes noted.
Errors all over the world
Nearly one quarter of the cards Nohl’s team tested could be hacked, Forbes reported. The type of SIM card technology in use varies widely around the world, but Nohl estimates that about one in eight SIM cards could be vulnerable. Out of a worldwide total of around 5 billion SIM cards, that means that around half a billion devices could be at risk. Many mobile carriers do not use cards with the affected encryption standards, including AT&T and Verizon.
However, the products of both of the main SIM card vendors, Gemalto and Oberthur, have the sandboxing error, according to Nohl. Gemalto told Forbes that its SIMs are in line with current security guidelines and that it is looking into the research. The company claims on its website that its cards are “virtually impossible to crack.”
Nohl acknowledged the difficulty of the exploit, telling Forbes that his team nearly gave up on the SIM card project. While he believes it is unlikely that attackers are already using the flaw, ensuring the software security of such technology is a major concern as organizations look to guarantee the safety of new practices such as mobile payments. Using approaches such as source code analysis, organizations can reduce the likelihood of errors in the embedded software of SIM cards and other technologies.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.