Update: CNN reported on 1st August that five major carriers have pushed out a patch to block the vulnerability.
A two-minute SIM card hack could enable a hacker to listen to your phone calls, send text messages from your phone number and make mobile payments from your account. The vulnerability, discovered by a German security researcher, is present in an estimated 750 million SIM cards – around one in four of all SIM cards.
Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it …
The vulnerability was discovered by Karsten Nohl, founder of Security Research Labs in Berlin – the man who back in 2009 created a tool to break the GSM encryption, enabling anyone with a scanner and a laptop to listen in to cellphone calls. The system used to encrypt GSM calls was strengthened as a result of his work.
This new vulnerability relates to the encryption system used on SIM cards. Nohl found that by sending a fake carrier text message to a phone, in about 25 percent of cases the phone would reply with an error message that revealed the 56-bit security key for the SIM. A second text message claiming to be a software update, and which the SIM would accept because it used the encryption key, would then allow a virus to be installed which would allow a hacker wide-ranging control over the phone.
The system works only with SIM cards using an older encryption method known as Data Encryption Standard, or DES. More modern SIMs use stronger encryption methods, which cannot be hacked in the same way, but there’s no way to tell which system your SIM uses.
Nohl will report his findings in detail at the Black Hat security conference in August, but he has already provided details to mobile operators so that they can address the vulnerability. A spokesperson for the GSM Association said:
We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted.
We should find out at the conference whether or not this is the case …