Up to 750 million mobile phones around the world carry SIM cards that contain a programming flaw that could leave their owners vulnerable to fraud. The bug allows a hacker to remotely access personal data and authorise illegal transactions within minutes.
The UN’s International Telecommunications Union is to send an alert to all mobile phone operators after being presented with “hugely significant” evidence of a design flaw by renowned German code-breaker Karsten Nohl.
The bug affects the SIM card, the plastic circuit board that contains key phone user data, which is considered to be the most-secure part of the phone, and has not been hacked in a similar fashion in a decade. By finding out the unique encryption key of each SIM card with just one hidden text message, Nohl is able to get complete remote control of an individual’s phone.
“We become the SIM card. We can do anything the normal phone users can do,” Nohl told Reuters. “If you have a MasterCard number or PayPal data on the phone, we get that too.”
The flaw can be exploited both for financial fraud and for surveillance.
“We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can read your texts. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account,” Nohl explained to the New York Times.
The 31-year-old ‘ethical hacker’ Karsten Nohl breaks into secure systems, exploiting their vulnerabilities, and then presents his findings to companies, hoping they fix any issues before they are identified by criminals.
Nohl says his team had been unsuccessfully attempting to breach SIM cards since 2011, using over-the-air-programming (OTA) – unseen text messages that are sent by the mobile phone operator to change settings on the phone of a user within their network.
“We had almost given up on the idea of breaking the most widely-deployed use of standard cryptography,” admitted Nohl, who says that SIM card tampering is the ‘Holy Grail’ for any hacker.
In the end, the flaw was found by accident.
Nohl noticed that when he attempted to send certain incorrect OTA commands, he would receive an error message that also contained the unique encryption code belonging to that phone – its virtual key. The code was easily decrypted – Nohl says the process takes him one minute. With the phone now at his disposal, he could command it to do anything from his own computer, without the user ever suspecting anything was amiss.
The bug was not found in every SIM card tested – Nohl researched more than a thousand – but he estimates that it is present in about a quarter of SIM cards using Data Encryption Standard (DES), a security standard that is being phased out but is still used on about 3 billion active phones. That’s why Nohl estimates that 750 million users might be in danger. What’s more, there is no easy way for a DES SIM card owner to identify if their phone is susceptible.
The security expert has already privately informed authorities about his findings through a process called ‘responsible disclosure’, and believes it will take hackers six months to repeat his feat, giving manufacturers a head start. Nohl will detail his break-in at a Black Hat, a hackers conference that begins in Las Vegas at the end of July.
While leading companies have released statements acknowledging the flaw, and saying that they are working to eradicate it, authorities have urged calm among ordinary users, noting that no criminal damage appears to have been done so far.
“This is not what hackers are focused on. This does not seem to be something they are exploiting,” reassured John Marinho, Vice President of Technology and Cybersecurity at CTIA, the leading US mobile industry group.
But whatever the immediate risks, the UN is less sanguine.
“These findings show us where we could be heading in terms of cyber-security risks,” ITU Secretary-General Hamadoun Touré told Reuters.