The SIM card in your phone could be vulnerable to a new security flaw discovered by a German researcher that could allow hackers to remotely take control of your handset. The New York Times reported on the matter yesterday and apparently the flaw relates to SIM cards using DES (Data Encryption Standard).
This is actually an older form of encryption that is being phased out by most manufactures, but it is still being utilized in hundreds of millions of SIM cards. In fact it was stated that over 740 million phones could be vulnerable.
So, just how serious is this security flaw? Well according to Kevin J. O’Brien from The New York Times:
Karsten Nohl, founder of Security Research Labs in Berlin, said the encryption hole allowed outsiders to obtain a SIM card’s digital key, a 56-digit sequence that opens the chip up to modification. With that key in hand, Mr. Nohl said, he was able to send a virus to the SIM card through a text message, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone’s owner.
Nohl further elaborates “We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”
The bottom line is… it is pretty serious to say the least and the entire operation only takes about 2 minutes.
Nohl has disclosed this security flaw to the GSMA (an association of mobile operators that oversee the deployment of GSM networks) and they have begun notifying SIM-Makers and other companies involved. Just like Saurik’s Android Master Key exploit and patch, Nohl will be detailing the exploit at Black Hat next month.