Code-breaker Karsten Nohl: ‘Phone users can’t do much against SIM hackers’
“SIM cards were the last widely-used [piece of] technology left that no one had broken yet,” said Nohl, who made headlines on Sunday saying that his team found a flaw that would allow hackers to remotely access personal data and authorize illegal transactions within minutes.
The 31-year-old 'ethical hacker' breaks into secure systems, exploiting their vulnerabilities, and then presents his findings to companies, hoping they fix any issues before they are identified by criminals.
The UN’s International Telecommunications Union called the evidence “significant” and is to send an alert to all mobile phone operators warning of what was revealed.
The bug affects the SIM card, the plastic circuit board that contains key phone user data, which is considered to be the most-secure part of the phone, and has not been hacked in a similar fashion in a decade. By finding out the unique encryption key of each SIM card with just one hidden text message, Nohl is able to get complete remote control of an individual’s phone.
Nohl and the programming flaw can be exploited both for financial fraud and surveillance.
“The worst case scenario that I could foresee is criminals acquiring enough information to hack a few million cards in the country,” Nohl added. “The main short term threat after criminals finally acquire this attack method is fraud. They will abuse the cards to send premium SMS, for instance. They can also steal banking tokens from them in countries where that is used.”
The other thing to worry about Nohl warns is surveillance, “because the SIM cards do encrypt all the voice communications originating from a phone as well as data communication. All of this can be intercepted and decoded by a well-equipped surveillance team.”
The phone users are left in the dark in all of this as there is no way to tell when a SIM card is being hacked. “The best bet currently is to wait for the network to implement countermeasures before the abuse starts and should abuse happen in your network, ask for a new SIM card,” explains Nohl.
Nohl said his team had been unsuccessfully attempting to breach SIM cards since 2011, using over-the-air-programming (OTA) – unseen text messages that are sent by the mobile phone operator to change settings on the phone of a user within their network.
In the end, the flaw was found by accident after Nohl noticed that when he attempted to send certain incorrect OTA commands, he would receive an error message that also contained the unique encryption code belonging to that phone – its virtual key. The code was easily decrypted – Nohl says the process takes him one minute. With the phone now at his disposal, he could command it to do anything from his own computer, without the user ever suspecting anything was amiss.
The bug was not found in every SIM card tested and Nohl estimates that it is present in about a quarter of SIM cards using Data Encryption Standard (DES), putting about 750 million users worldwide at risk.
While leading companies have released statements acknowledging the flaw, and claiming they are working to eradicate it, authorities have urged calm among ordinary users, noting that no criminal damage appears to have been done so far.