Connect with us

Hi, what are you looking for?


Black Hat

Vulnerabilities in Certain SIM Cards Make Users Susceptible to Mobile Phone Hijacking

A researcher has uncovered a way to use vulnerabilities in the SIM (subscriber identity module) cards of millions of mobile phones to sign malicious updates and clone the SIM cards over-the-air.

A researcher has uncovered a way to use vulnerabilities in the SIM (subscriber identity module) cards of millions of mobile phones to sign malicious updates and clone the SIM cards over-the-air.

A SIM card securely stores the international mobile subscriber identity and the related key used to identify and authenticate mobile phone users. In an upcoming presentation at the Black Hat conference in Las Vegas, Karsten Nohl – chief scientist at Security Research Labs – will expose implementation and configuration bugs in SIM cards that can be used to hijack mobile phones.

“Nohl discovered that many SIM cards, instead of using AES or at least 3DES, still use the DES encryption standard which is known to be weak and easily breakable with today’s hardware,” blogged Symantec security researcher Candid Wueest.

“An attacker can send a cleverly crafted silent binary SMS update message over-the-air (OTA) to the mobile phone, even without knowing the private signing key,” he blogged. “The device will reject the unsigned message, but it will also answer with an error code signed with the 56-bit DES private key. This allows the attacker to crack the private key through a brute-force attack. During tests, Nohl was able to break the key in a few minutes using rainbow tables.”

“Once the key is known, an attacker can go ahead and sign malicious software updates, which are essentially mini Java applets, and send them through OTA updates to the mobile phone,” Wueest continued. “Since the signature matches, the applets will run on the device. Such malicious applets can silently send premium text messages which will generate profit for the attacker or reveal the geo-location of the device.”

In a blog post, Security Research Labs posted information about the vulnerabilities. According to the company, the Java virtual machine should ensure that every Java applet only accesses the predefined interfaces. However, Java sandbox implementations of at least two major SIM card vendors are not secure and allow a Java applet can break out of the sandbox and access the rest of the card. In effect, this permits the remote cloning of millions of SIM cards.

According to Security Research Labs, the risk of these attacks can be mitigated by SIM cards implementing state-of-the-art cryptography, including sufficiently long keys and proper implementation of secure Java machines. In addition, each user should be allowed to decide which sources of binary SMS to trust and which ones not to via a SMS firewall on the phone. Finally, remote attackers delivering binary SMS to and from victim phones could be thwarted with in-network SMS filtering, the company argued.

Advertisement. Scroll to continue reading.

Users can check with their provider to see if their SIM card is vulnerable to this attack and, if necessary, upgrade to a newer card that is not vulnerable, blogged Wueest.

“We all know that mobile phones have been the focus of cybercriminals for a while now,” he wrote. “But Trojanized mobile applications are only one attack scenario. Some problems lie even deeper in your phone.”

The Black Hat conference will be held from July 27 to Aug. 1.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Black Hat

Cris Thomas, also known as Space Rogue, was a founding member of the Lopht Heavy Industries hacker collective.

Black Hat

Hundreds of companies and organizations showcased their products and services this week at the 2023 edition of the Black Hat conference in Las Vegas.

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Black Hat

The cybersecurity industry heads to Las Vegas this week for Black Hat in a state of economic contraction, confusion and excitement. Can the promise...

Black Hat

Sin City, A.K.A Las Vegas, Nevada – is once again playing host this week to the Black Hat and DEFCON security conferences. With throngs...

Black Hat

Bypassing Air Gap Security: Malware Uses Radio Frequencies to Steal Data from Isolated Computers 

Black Hat

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009 but the talk was pulled at the last...