Hacker Discovers Security Weakness in Old SIM Cards

By Wesley Fenlon

Security expert Karsten Nohl spent two years researching a flaw in SIM cards that allows him to steal the owner's identity or install remote software on a cellular phone.

Sometimes, when we get hacked, it's our own fault--we use the same easily guessable password on multiple websites or accidentally leave ourselves logged into a public computer. Sometimes it's the system's fault, and hackers play on the customer service centers of massive corporations to get at your data--that's what happened with Amazon and iTunes in 2012.

And sometimes, when we get hacked, the hardware itself has failed us. Hacker Karsten Nohl of the Security Research Labs in Berlin says he's found a flaw in cell phone SIM cards that open them up to hacking. Through that security hole, he says, according to the New York Times, "We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”

Thankfully, not all SIM cards are vulnerable to the threat. Likewise, there are plenty of CDMA-based phones, like those from carrier Verizon in the US, that don't run on SIM cards. But much of the world uses GSM technology, and those phones use SIMs. Nohl says as many as 750 million phones could be vulnerable to his hack.

The Times goes into a bit more detail about the security hole Nohl discovered. It's not his first exploration of GSM's weaknesses; in 2009, he created a tool that could break the 64-bit encryption key on GSM networks.

"Mr. Nohl said the flaw he had discovered was the result of an encryption method developed in the 1970s called data encryption standard, or D.E.S. After uncovering the breach, he researched the pervasiveness of the problem by testing about 1,000 SIM cards on cellphones running on mobile networks in Europe and North America over a two-year period. The phones and SIM cards were owned and used by himself and members of his research team. Mr. Nohl said that about one-quarter of the SIM cards running the older encryption technology exhibited the flaw.

Mr. Nohl said that about one-quarter of the SIM cards running the older encryption technology exhibited the flaw.

"D.E.S. encryption is used on about half of the about six billion cellphones in use daily. Over the past decade, most operators have adopted a stronger encryption method, called Triple D.E.S., but many SIM cards still run the old standard. The encryption is used to disguise the SIM card, and thus a mobile phone’s unique digital signature."

The Times elaborates that in most cases--about 75 percent of the time--when Nohl sent a phone an SMS with a faulty digital signature, the phones would bounce back that message. But the other 25 percent of the time, the phone " broke off the communication and sent an error message back to Mr. Nohl that included its own encrypted digital signature. The communication provided Mr. Nohl with enough information to derive the SIM card’s digital key."

Nohl already discussed the hack with the GSM Association and will be revealing the details of two years of research publicly at the Black Hat hacking conference on August 1. That 750 million number is probably very much on the high side, as many phones with simple D.E.S. security have been phased out years ago. But there are doubtless still millions of those phones in operation. This breach will, hopefully, quicken their retirement.