Sim Cards Are Vulnerable To Attacks
SIM cards, the de facto trust anchor of mobile devices worldwide, is not as secure as it was possibly thought they are, as they can put millions of people at risk of being spied on and robbed.
Karsten Nohl, a security expert of Security Research Labs, described a way to discover some Sims' digital keys by sending them a special text message. The method could potentially used to listen in on calls or steal cash.
SIM (subscriber identity module) cards found on mobile devices receive over-the-air (OTA) updates. OTA commands, such as software updates, are cryptographically-secured SMS messages, which are delivered directly to the SIM. While the option exists to use AES or the somewhat outdated 3DES algorithm for OTA, many (if not most) SIM cards still rely on the 70s-era DES cipher. DES keys were shown to be crackable within days using FPGA clusters, but they can also be recovered much faster.
To derive a DES OTA key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. This plaintext-signature tuple can be resolved to a 56-bit DES key within two minutes on a standard computer, according to Nohl.
The cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.
According to Nohl, the risk of remote SIM exploitation can be mitigated by making sure that SIM cards are using state-of-art cryptography with sufficiently long keys, they are not disclosing signed plaintexts to attackers, and implement secure Java virtual machines.
One additional protection layer could be anchored in handsets: Each user should be allowed to decide which sources of binary SMS to trust and which others to discard. An SMS firewall on the phone would also address other abuse scenarios including "silent SMS."
Remote attackers rely on mobile networks to deliver binary SMS to and from victim phones. Such SMS should only be allowed from a few known sources, but most networks have not implemented such filtering yet. "Home routing" is furthermore needed to increase the protection coverage to customers when roaming. This would also provide long-requested protection from remote tracking.
The GSMA said it was looking into the findings.
The specific research will be presented at BlackHat on Jul 31st and at the OHM hacking camp on Aug 3rd 2013.
SIM (subscriber identity module) cards found on mobile devices receive over-the-air (OTA) updates. OTA commands, such as software updates, are cryptographically-secured SMS messages, which are delivered directly to the SIM. While the option exists to use AES or the somewhat outdated 3DES algorithm for OTA, many (if not most) SIM cards still rely on the 70s-era DES cipher. DES keys were shown to be crackable within days using FPGA clusters, but they can also be recovered much faster.
To derive a DES OTA key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. This plaintext-signature tuple can be resolved to a 56-bit DES key within two minutes on a standard computer, according to Nohl.
The cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.
According to Nohl, the risk of remote SIM exploitation can be mitigated by making sure that SIM cards are using state-of-art cryptography with sufficiently long keys, they are not disclosing signed plaintexts to attackers, and implement secure Java virtual machines.
One additional protection layer could be anchored in handsets: Each user should be allowed to decide which sources of binary SMS to trust and which others to discard. An SMS firewall on the phone would also address other abuse scenarios including "silent SMS."
Remote attackers rely on mobile networks to deliver binary SMS to and from victim phones. Such SMS should only be allowed from a few known sources, but most networks have not implemented such filtering yet. "Home routing" is furthermore needed to increase the protection coverage to customers when roaming. This would also provide long-requested protection from remote tracking.
The GSMA said it was looking into the findings.
The specific research will be presented at BlackHat on Jul 31st and at the OHM hacking camp on Aug 3rd 2013.
