23 July 2013

The humble SIM card has finally been hacked: Billions of phones at risk of data theft, premium rate scams



It took a long time - more than 20 years, to be exact - but the humble SIM card that sits within your phone, and seven billion others, has finally been hacked. Of the seven billion modern SIM cards in circulation, hundreds of millions are estimated to be susceptible. The hacks allow a would-be attacker to infect your SIM with a virus that sends premium text messages, or records your phone calls - and, in some cases, access the secure, sandboxed details stored on your SIM by mobile payment apps, giving a hacker access to your bank and credit card details. Now that a proof of concept has been demonstrated, we wouldn’t be surprised if the billions of other SIMs in circulation are also vulnerable to other attack vectors.

For the longest time, I thought that SIM cards were merely a piece of laminated memory that stored the data that your phone needs to connect to a cellular network (ICCID, Ki, etc.), along with enough space to store a few phone numbers. In actuality, the SIM card in your phone is actually a small computer, with memory, a processor, and even an operating system. As you can see in the diagram below, there is a chip beneath those gold contacts, and on that chip there is a processor, ROM (firmware that stores the OS and SIM apps), EEPROM (which stores your phone book, settings, patches), and RAM (for use by the SIM’s OS and apps). In the photo below of a disassembled SIM card, you can clearly see that this is quite a complex computer chip.



And, unfortunately, like any computer chip that runs an operating system and apps, a SIM card can be hacked. In this case, modern SIM cards run a very simple OS that loads up Java Card - a version of the Java virtual machine for smart cards (of which SIMs are a variety of). Java Card essentially runs small Java applets, and each applet is encapsulated and firewalled (sandboxed) by the Java VM, preventing sensitive data from leaking to other apps. Your phone interacts with these apps via the SIM Application Toolkit (STK) to display information on your screen, and to interact with the outside world. To load apps onto the SIM or to update them, hidden text messages are sent by the carrier, containing over-the-air (OTA) programming in binary form. These messages are signed with a cryptographic key, so that the SIM knows that these messages have originated from a trusted source.

Now, German security researcher Karsten Nohl has discovered a way of finding out that all-important cryptographic key. By sending his own OTA SMSes that aren’t signed with the correct key, he discovered that some phones pop up an error message that contains a cryptographic signature. Then, using rainbow tables (a list of plaintext keys/passwords and their encrypted equivalent), Nohl found he could discover the SIM card’s cryptographic key in about one minute. Once he had this key, he could send apps and viruses to the SIM card that can send premium text messages (racking up huge bills), re-route or record calls, collect location data - you name it, with access to the SIM, you can do just about anything.



Nohl also found a separate bug in Java Card, essentially an out-of-bounds error (asking for the sixth item in a list when the list only contains five items), that can give an app/virus full root access to your SIM card - effectively breaking out of the encapsulation/sandboxing provided by the Java Card VM. With root access, these malicious apps could then obtain any data stored on your SIM, including your address book, or sensitive banking details stored by mobile payment apps. This is an issue, as the only reason that mobile payment apps are being rolled out in the first place is because the SIM card has long been considered a safe haven - but, as luck would have it (really, it’s quite unsurprising), there’s a massive security hole just waiting to be exploited.


According to Nohl, he estimates that out of 100 mobile phones, he could gain root access to the SIM card on 13 of them. SIM cards that use newer, stronger encryption (Triple DES), don’t appear to be susceptible to these attack vectors, but Nohl says he’ll give more information at his Black Hat talk at the end of July. Verizon and AT&T say they are not vulnerable to the vulnerabilities exposed by Nohl. In essence, mitigation of this attack comes down to the encryption standard used by your SIM card - so if you use a SIM that’s more than a few years old, you should probably get a new one (most carriers will provide a new SIM if you ask nicely). Some carriers, though, simply won’t have upgraded to Triple DES yet - and, as you can imagine, carriers won’t publicly admit that they’re using out-of-date security methods.

Even with the updated cryptographic standard, though, it’s clear that Java Card itself is flawed - and patching it, and distributing those patches, will take a lot more effort than rolling out Triple DES. Even if the holes can be easily fixed, the simple matter of the fact is that computers are intrinsically insecure - and now that a proof of concept with the potential for massive monetary gain has been demonstrated, it’s only a matter of time until more vulnerabilities are found.

(Image credit)

44 comments:

  1. Thanks for sharing information.
    recharge offers
    videocontelecom offers new Customers the proposition will be available on Plan voucher (PV) priced at Rs 76, offering All Local Calls at 25P/min only for 6 months including Rs 63 Talk time; 1050 MB data for 3 month and 100 SMS free/day, with first 2 SMS of the day chargeable at rack rate only in Haryana.

    ReplyDelete
  2. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training India . Nowadays Java has tons of job opportunities on various vertical industry.

    ReplyDelete
  3. Might want to compliment the author for composing this perfect article
    best cell phone lookup review

    ReplyDelete
  4. Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks. best phone under 9000 with good camera

    ReplyDelete
  5. This is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you. the sims mobile hack ios

    ReplyDelete
  6. There is so many in this column that I could by no means experience perception of on my acknowledge. Your textual content offers lecturers gadgets to imagine about in an amazing street. Acknowledge you to your open information.
    Phone price in bd 2020

    ReplyDelete
  7. I feel like I’m often looking for interesting things to read about a variety of niches, but I manage to include your blog among my reads every day because you have compelling entries that I look forward to. Here’s hoping there’s a lot more amazing material coming! ipad sketch

    ReplyDelete
  8. Nice site. On your blogs very interest and i will tell a friends. ipad template

    ReplyDelete
  9. You ought to basically fantastic not to mention solid advice, which means notice: outdoor surveillance camera system

    ReplyDelete
  10. Nice to be visiting your blog once more, it continues to be months for me. Nicely this post that i’ve been waited for so lengthy. I want this article to total my assignment in the university, and it has same topic together with your post. Thanks, terrific share. device mockups

    ReplyDelete
  11. hello i discovered your post and thought it was very informational likewise i suggest this site about repairing lap tops Click Here device mockups

    ReplyDelete
  12. Some really superb info , Sword lily I found this. android phone template

    ReplyDelete
  13. First, let’s kill off a genuine fabrication: You can not use a reverse cellular phone number lookup for totally free anywhere, anytime. phone mockup

    ReplyDelete
  14. This way, it functions almost like a cell phone; as a matter of fact, many cell phones make use of SIM cards for the said purpose. the sims mobile hack ios 2020

    ReplyDelete
  15. You’ve really written a very good quality article here. Thank you very much iphone screenshot mockup

    ReplyDelete
  16. I totally understand what you have explained. Actually, I browsed throughout your several other content articles and I do believe you are absolutely correct. Congrats with this particular blog. app store mock up

    ReplyDelete
  17. Thank you for making the honest attempt to discuss this. I feel very strong about it and would like to learn more. If it’s OK, as you gain extra in depth knowledge, might you mind adding more articles very similar to this one with more information? It would be extraordinarily useful and useful for me and my friends. imac mockup free

    ReplyDelete
  18. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! Best metaphysical store

    ReplyDelete
  19. Keep up the fantastic piece of work, I read few blog posts on this web site and I believe that your site is real interesting and has lots of great information. apple watch mockup free

    ReplyDelete
  20. The when I just read a blog, I’m hoping that this doesnt disappoint me approximately this one. Get real, Yes, it was my method to read, but When i thought youd have something interesting to state. All I hear is a number of whining about something that you could fix should you werent too busy trying to find attention. apple watch template

    ReplyDelete
  21. You have noted very useful details! PS. nice web site. “Disbelief in magic can force a poor soul into believing in government and business.” by Tom Robbins.. apple watch psd

    ReplyDelete
  22. Nice to be visiting your blog once more, it continues to be months for me. Nicely this post that i’ve been waited for so lengthy. I want this article to total my assignment in the university, and it has same topic together with your post. Thanks, terrific share. Mobile Phone Price in Bangladesh

    ReplyDelete
  23. Good article , I am going to spend more time learning about this topic top app development companies

    ReplyDelete
  24. Keep all the articles coming. I love reading through your things. Cheers. top web development companies

    ReplyDelete
  25. Yay google is my king assisted me to find this outstanding site! . web development firms

    ReplyDelete
  26. Howdy! Do you know if they make any plugins to safeguard against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any suggestions? web development services company

    ReplyDelete
  27. Hello! Good stuff, please keep us posted when you post again something like that! best logo design company

    ReplyDelete
  28. Looks like the writer has put a lot of hard work into this.
    spy phone app

    ReplyDelete
  29. Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck. instagram likes app download apk

    ReplyDelete
  30. The secrets of why News and why it means a lot. branding san francisco

    ReplyDelete
  31. Good post. I learn something tougher on different blogs everyday. It'll at all times be stimulating to learn content from other writers and observe somewhat one thing from their store. I’d choose to use some with the content on my blog whether or not you don’t mind. Natually I’ll offer you a link in your internet blog. Thanks for sharing. device mockup

    ReplyDelete
  32. It laborious to seek out knowledgeable folks on this matter, but you sound like you already know what you are talking about! Thanks ipad device template

    ReplyDelete
  33. You are therefore cool! My partner and i do not assume I have learn anything like this prior to. So excellent to discover somebody with a few original thoughts on this subject matter. realy many thanks for beginning this up. this web site is something that’s needed on the web, someone using a bit of inspiration. beneficial project for delivering something a new comer to the internet! website design company san francisco

    ReplyDelete
  34. Thank you for your site post. Velupe and I happen to be saving for just a new book on this subject and your article has made us all to save money. Your opinions really responded all our issues. In fact, above what we had thought of ahead of the time we came across your great blog. I no longer nurture doubts including a troubled mind because you totally attended to each of our needs here. Thanks iphone photoshop

    ReplyDelete
  35. Outstanding brief which post helped me alot. Give you thanks I looking for your details?–. iphone device template

    ReplyDelete
  36. The next thing to check from a used smartphone is the screen surface and the sensitivity of its User Interface. small smartphone

    ReplyDelete
  37. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. russian stealth sim

    ReplyDelete
  38. Therefore dissertation web-sites as a result of online to set-up safe and sound ostensibly taped in the website. russian sim panel

    ReplyDelete
  39. It’s best to take part in a contest for one of the best blogs on the web. I will recommend this website! genuine hackers for hire online

    ReplyDelete
  40. Notwithstanding, you should realize that since you approach a photograph shop instructional exercise doesn't make you a specialist. A colossal piece of learning relies upon your gathering of the instructional exercise. Here are a few things that you ought to do so as to take advantage of a photograph shop instructional exercise: Professional graphic design

    ReplyDelete
  41. This Article content is Really Unique and amazing. This article Really helpful and Explained very well.So i am Really Thankful to you for Sharing Keep it upMobile Phone Prices in Bangladesh

    ReplyDelete

Get every new post delivered to your Inbox.

 

Copyright © 2018 Tracktec. All rights reserved.

Back to Top