Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Vulnerabilities in Certain SIM Cards Make Users Susceptible to Mobile Phone Hijacking

A researcher has uncovered a way to use vulnerabilities in the SIM (subscriber identity module) cards of millions of mobile phones to sign malicious updates and clone the SIM cards over-the-air.

A researcher has uncovered a way to use vulnerabilities in the SIM (subscriber identity module) cards of millions of mobile phones to sign malicious updates and clone the SIM cards over-the-air.

A SIM card securely stores the international mobile subscriber identity and the related key used to identify and authenticate mobile phone users. In an upcoming presentation at the Black Hat conference in Las Vegas, Karsten Nohl – chief scientist at Security Research Labs – will expose implementation and configuration bugs in SIM cards that can be used to hijack mobile phones.

“Nohl discovered that many SIM cards, instead of using AES or at least 3DES, still use the DES encryption standard which is known to be weak and easily breakable with today’s hardware,” blogged Symantec security researcher Candid Wueest.

“An attacker can send a cleverly crafted silent binary SMS update message over-the-air (OTA) to the mobile phone, even without knowing the private signing key,” he blogged. “The device will reject the unsigned message, but it will also answer with an error code signed with the 56-bit DES private key. This allows the attacker to crack the private key through a brute-force attack. During tests, Nohl was able to break the key in a few minutes using rainbow tables.”

“Once the key is known, an attacker can go ahead and sign malicious software updates, which are essentially mini Java applets, and send them through OTA updates to the mobile phone,” Wueest continued. “Since the signature matches, the applets will run on the device. Such malicious applets can silently send premium text messages which will generate profit for the attacker or reveal the geo-location of the device.”

In a blog post, Security Research Labs posted information about the vulnerabilities. According to the company, the Java virtual machine should ensure that every Java applet only accesses the predefined interfaces. However, Java sandbox implementations of at least two major SIM card vendors are not secure and allow a Java applet can break out of the sandbox and access the rest of the card. In effect, this permits the remote cloning of millions of SIM cards.

According to Security Research Labs, the risk of these attacks can be mitigated by SIM cards implementing state-of-the-art cryptography, including sufficiently long keys and proper implementation of secure Java machines. In addition, each user should be allowed to decide which sources of binary SMS to trust and which ones not to via a SMS firewall on the phone. Finally, remote attackers delivering binary SMS to and from victim phones could be thwarted with in-network SMS filtering, the company argued.

Users can check with their provider to see if their SIM card is vulnerable to this attack and, if necessary, upgrade to a newer card that is not vulnerable, blogged Wueest.

“We all know that mobile phones have been the focus of cybercriminals for a while now,” he wrote. “But Trojanized mobile applications are only one attack scenario. Some problems lie even deeper in your phone.”

The Black Hat conference will be held from July 27 to Aug. 1.

Written By

Click to comment

Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Black Hat

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009 but the talk was pulled at the last...

Black Hat

Samy Kamkar, in an incredibly interesting session at Black Hat titled “How I Met Your Girlfriend,” highlighted new types attacks executed from the Web.

Black Hat

The first entirely virtual edition of the Black Hat cybersecurity conference took place last week and researchers from tens of organizations presented the results...

Black Hat

Bypassing Air Gap Security: Malware Uses Radio Frequencies to Steal Data from Isolated Computers