All posts by Knopfman

sim-card

Beware! Your Sim Card Can Now Be Hacked!

Beware! Your Sim Card Can Now Be Hacked!

We Know The NSA Is Snooping! But Now There’s More!

small-sim-card

We know that most US carriers have now enabled NSA snooping, but the prevailing wisdom is that there’s still one part of your mobile phone that remains safe and un-hackable:

Your SIM Card

After three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, which would open up yet another route on mobile phones for surveillance and fraud.

Nohl, who will be presenting his findings at the Black Hat security conference in Las Vegas on July 31, says that his is the first hack of its kind in a decade, and comes after he and his team tested almost 1,000 SIM cards for vulnerabilities.

How Does The Hack Work?

The hack is implemented by simply sending a hidden SMS.

There’s a two-part flaw, based on an old security standard and badly configured code, which can allow hackers to remotely infect a SIM with a virus that can send premium text messages, and surreptitiously re-direct and record calls.

And with the right combination of bugs, carry out payment system fraud!

Are Some Sim Cards Safer Than Others ?

Right now, there’s no obvious pattern to the flaw beyond the premise of an older encryption standard.

"Different shipments of SIM cards either have the bug or don’t. It’s very random".

says Nohl, who is chief scientist at risk management firm Security Research Labs.

What Percentage Of Sim Cards Can Be Hacked?

Nohl says just a little under a quarter of all the SIM cards he tested could be hacked, but given that encryption standards vary widely between countries, he estimates an eighth of the world’s SIM cards could be vulnerable, or about half a billion mobile devices.

Manufacturers And Banks ?!

Carriers and SIM card manufacturers need to step up their security game for when payments arrive.

Banks are slow and cautious with new technology because they always wait for a proven secure, but the mobile world moves much faster, as time-to-market is for them more important.