SIM Card Encryption Weaknesses Could Expose Millions

Hundreds of millions of SIMs are using weak encryption to do over the air updates, which is bad news for mobile users

Millions of SIM cards are running encryption that is easily crackable, leaving many devices exposed to mobile malware, researchers have warned.

Software updates and other over-the-air updates are often sent encrypted using a 1970s cipher known as the Data Encryption Standard (DES), which has been proven to be weak and dated, said German firm Security Research Labs.

All would-be hackers have to do is send a binary SMS to a device, which, in many cases, will respond with an error code carrying a cryptographic signature. Take a rainbow table to that signature, and a 56-bit DES key can be acquired.

spy security mobile - Shutterstock © ostillCracking easy encryption

To get malware on the device, an official-looking update can be sent to the device, asking the target to download a Java applet. That applet could let the attacker send text messages, change voicemail numbers or query phone location – all good things for a snoop.

Whilst the Java virtual machine on many SIM cards should prevent Java applets from getting wide access to the phone, two major SIM card vendors have insecure JVM implementations.

“A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card,” the security company wrote.

It’s the potential compromise of payment information that will concern many, as many moved payment information to SIMs because of their supposed security protections. This particular threat will have larger ramifications in markets with strong mobile payment industries, such as Africa.

Karsten Nohl, chief scientist at Security Research Labs, is due to present his findings at Blackhat later this month.

The UN’s International Telecommunications Union has been so concerned by the research it has decided to send out an alert to telecoms regulators and government agencies across 200 countries about the vulnerability, according to Reuters.

It is estimated as many as 750 million devices could be in danger.

What do you know about Internet security? Find out with our quiz!