500 Million Cell Phones Vulnerable To Exploit
Your trusty SIM card could be a potential backdoor for hackers.
German cryptographic researcher Karsten Nohl says he has cracked the encryption and security features of certain SIM cards after three years of work. Nohl will present his team’s findings in the Black Hat conference held in Las Vegas on July 31st.
The SIM (Subscriber Identity Module) was first developed in 1991. Most current SIM cards are based on newer encryption standards but one-eighth of all cards — accounting for 500 million cellphones currently in use — are based on an older encryption standard which make them vulnerable, according to Nohl.
The exploit involves sending a hidden SMS which allows a hacker to infect the SIM card in the phone with a virus. The virus would then be able to open up access to the phone, including recording calls, sending and receiving messages and calls that can lead to charges, and worst of all, payment fraud.
The most important security exploit involves something called Java sandboxing. Phone programs are designed to be “sandboxed,” meaning that the application would be kept in its own space, and not allowed to interact with other programs or the SIM card. Nohl was able to upload a virus to the SIM which could interact and spy on other programs.
Nohl claims that the broken sandboxing is the fault of the leading SIM card manufacturers Gemalto and Oberthur. Both companies claim that their SIM cards are secure and meet industry encryption standards.
What does this mean for the future of mobile payments? Industry experts have been disappointed with the slow rate of consumer adoption of mobile payment methods. If consumers feel that their devices are not secure enough, especially with this newly discovered SIM card flaw, then it could be a major setback to companies and manufacturers.
It falls on both SIM card manufacturers and the carriers to cooperate in patching these exploits to assure consumers their phones are secure.