A recent research conducted by Karsten Nohl, who is an expert cryptographer from Germany based Security Research Labs, has revealed that eighth of all SIM cards are vulnerable to security attacks. According to him, usage of outdated SIMs makes the handset vulnerable to security attacks like giving access to location of the phone, functionalities of SMS and changing of voicemail number.
Over 7 billion SIM cards are used across the globe. SIM cards are set up encryption feature which springs into action when it communicates with an operator to receive software updates or commands. However, the research reveals that the encryption used is quite weak. This allows hackers to easily detect the security flaw and send hidden SMSs to vulnerable handsets and then infect them with malicious programs.
Once a mobile phone is infected by virus, hackers can remotely access the phone to send out premium SMS and rob personal information. They can spy on call records and trace the location of the phone. Nohl who has been researching on the issue for the past ten years has tested over thousands of SIM cards from leading carriers like Vodafone, AT&T and Verizon. The reason why SIM cards from these leading carrier companies are vulnerable to security attacks is that they are still using outdated encryption technology called Data Encryption Standard (DES) from the 1970s.
This is how Nohl conducted his research. A binary code was delivered to a handset through SMS by using a SIM card that has got DES encryption technology. The binary code which was sent to the mobile phone was not cryptographically signed and hence it would not run on the phone and rejects the code. However, when it rejects, it does a very critical error of sending back an error code through SMS which also contains the 56-bit key encryption. By using this simple technique, hackers can easily crack DES.
The received 56-bit key can be then used by the hacker to perform malicious software updates. The device allows the software updates to take place as it recognizes that the update is coming from a reliable source and it then also sends sensitive data of the user. Hackers can easily change settings on the phone and edit or destroy phone data.
According to Nohl, the hack can be performed on any phone and he expressed to Arts Technica that even though he is provided with any mobile phone number, he will be able to gain access to sensitive data remotely and make a copy of it. Nohl added the possible way to solve this security issue is to make use of powerful cryptography and Java virtual machines. Nohl will be revealing more details on his experiment at the Black Hat security conference that will be held on July 31 at Las Vegas.