If you thought a simple phone is not vulnerable, you got it wrong. Today a report from The New York times explains how a German mobile security expert found in the technology that is used to encrypt SIM cards.
Some SIM cards use DES(Data Encryption Standard) encryption, which is an old standard(from 1970) that is might stell be used by almost 3 billion cellphones worldwide. After two years and 1000 sim cards Karsten Nohl, the founder of Security Research Labs find the security flaw on 25 percent of the sim cards that used the DES encryption.
This vulnerability might allow a hacker obtain the SIM card digital key(which is a 56-digit sequence) that can allow the chip to be modified. Having this key, Mr. Nohl was able to send a virus through a text message, intercept text messages, make carrier payments.
In just two minutes and using a personal computer Mr Nohl was able to hack a sim card and in 25 percent of the messages he sent to cellphones that used DES encryption, the receiver sent an error message back to Mr. Noth with the encrypted digital signature. Having this key Mr. Nohl could do all the harm he wanted.
Fortunately, many carriers replaced DES sim card encryption with a tougher one called Triple DES over the last years, which are not affected by Nohl method. Nohl said to The New York Times that he will disclose the name of the operators that used DES encryption to protect their SIM cards at the Black Hat conference which takes place on August 1st. Later, this December Nohl also have plans to publish a comparative list of SIM card security by operator at the Chaos Communication Congress from Hamburg, Germany.
As a regular user is very hard to know if you have a SIM card encrypted using DES or Triple DES standard, so we have to wait and see the blacklist Mr. Nohl plans to publish. Or we could phone our operator and ask about this, altough I doubt they will want to disclose suck things. Let’s hope we’re all in the safe zone.