Sim cards can be easily hacked

Karsten Nohl claims that some SIM cards feature a flaw in the encryption technology, so that telephones with the cards can be spied on.

This flaw enables the hackers to send a spoof text message to the device. The latter will answer by revealing the 56-bit data encryption standard key (DES). Using the key, the attacker gains possibility to install dangerous software on the device and even listen in on your phone calls, access/send text messages and much more.

Nearly half of all SIM cards in use today are based on the DES encryption rather than a more secure triple-DES one. When carrying out the testing, Nohl managed to access about 25% of SIM cards. He forecasts that 750 million phones can be affected by this vulnerability.

Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it

Nohl also described in detail how the attack is performed.

In early 2011, Nohl’s team started toying with the OTA protocol and noticed that when they used it to send commands to several SIM cards, some would refuse the command due to an incorrect cryptographic signature, while a few of those would also put a cryptographic signature on this error message.

With that signature and using a well known cryptographic method called rainbow tables, Nohl was able to crack the encryption key on the SIM card in about one minute. Carriers use this key to remotely program a SIM, and it is unique to each card.

“Anybody who learns the key of a particular SIM can load any application on the SIM he wants, including malicious code,” says Jasper Van Woudenberg, CTO North America of smart-card security firm Riscure.

“We had almost given up on the idea of breaking the most widely deployed use of standard cryptography,” says Nohl, but it felt “great” to finally gain control of a SIM after many months of unsuccessful testing.

With the all-important (and till-now elusive) encryption key, Nohl could download a virus onto the SIM card that could send premium text messages, collect location data, make premium calls or re-route calls. A malicious hacker could eavesdrop on calls, albeit with the SIM owner probably noticing some suspiciously-slow connections.

Nohl worked as e security researcher as well, and he exposed GSM's weak encryption that enabled anyone with the right tools to listen in on cellphone calls. So the system to encrypt GSM calls was strengthened. Nohl claims carriers should change SIMs using DES for a better filter technology to block telephone hacking.