It took a long time - more than 20 years, to be exact - but the humble SIM card that sits within your phone, and seven billion others, has finally been hacked. Of the seven billion modern SIM cards in circulation, hundreds of millions are estimated to be susceptible. The hacks allow a would-be attacker to infect your SIM with a virus that sends premium text messages, or records your phone calls - and, in some cases, access the secure, sandboxed details stored on your SIM by mobile payment apps, giving a hacker access to your bank and credit card details. Now that a proof of concept has been demonstrated, we wouldn’t be surprised if the billions of other SIMs in circulation are also vulnerable to other attack vectors.
For the longest time, I thought that SIM cards were merely a piece of laminated memory that stored the data that your phone needs to connect to a cellular network (ICCID, Ki, etc.), along with enough space to store a few phone numbers. In actuality, the SIM card in your phone is actually a small computer, with memory, a processor, and even an operating system. As you can see in the diagram below, there is a chip beneath those gold contacts, and on that chip there is a processor, ROM (firmware that stores the OS and SIM apps), EEPROM (which stores your phone book, settings, patches), and RAM (for use by the SIM’s OS and apps). In the photo below of a disassembled SIM card, you can clearly see that this is quite a complex computer chip.
And, unfortunately, like any computer chip that runs an operating system and apps, a SIM card can be hacked. In this case, modern SIM cards run a very simple OS that loads up Java Card - a version of the Java virtual machine for smart cards (of which SIMs are a variety of). Java Card essentially runs small Java applets, and each applet is encapsulated and firewalled (sandboxed) by the Java VM, preventing sensitive data from leaking to other apps. Your phone interacts with these apps via the SIM Application Toolkit (STK) to display information on your screen, and to interact with the outside world. To load apps onto the SIM or to update them, hidden text messages are sent by the carrier, containing over-the-air (OTA) programming in binary form. These messages are signed with a cryptographic key, so that the SIM knows that these messages have originated from a trusted source.
Now, German security researcher Karsten Nohl has discovered a way of finding out that all-important cryptographic key. By sending his own OTA SMSes that aren’t signed with the correct key, he discovered that some phones pop up an error message that contains a cryptographic signature. Then, using rainbow tables (a list of plaintext keys/passwords and their encrypted equivalent), Nohl found he could discover the SIM card’s cryptographic key in about one minute. Once he had this key, he could send apps and viruses to the SIM card that can send premium text messages (racking up huge bills), re-route or record calls, collect location data - you name it, with access to the SIM, you can do just about anything.
Nohl also found a separate bug in Java Card, essentially an out-of-bounds error (asking for the sixth item in a list when the list only contains five items), that can give an app/virus full root access to your SIM card - effectively breaking out of the encapsulation/sandboxing provided by the Java Card VM. With root access, these malicious apps could then obtain any data stored on your SIM, including your address book, or sensitive banking details stored by mobile payment apps. This is an issue, as the only reason that mobile payment apps are being rolled out in the first place is because the SIM card has long been considered a safe haven - but, as luck would have it (really, it’s quite unsurprising), there’s a massive security hole just waiting to be exploited.
According to Nohl, he estimates that out of 100 mobile phones, he could gain root access to the SIM card on 13 of them. SIM cards that use newer, stronger encryption (Triple DES), don’t appear to be susceptible to these attack vectors, but Nohl says he’ll give more information at his Black Hat talk at the end of July. Verizon and AT&T say they are not vulnerable to the vulnerabilities exposed by Nohl. In essence, mitigation of this attack comes down to the encryption standard used by your SIM card - so if you use a SIM that’s more than a few years old, you should probably get a new one (most carriers will provide a new SIM if you ask nicely). Some carriers, though, simply won’t have upgraded to Triple DES yet - and, as you can imagine, carriers won’t publicly admit that they’re using out-of-date security methods.
Even with the updated cryptographic standard, though, it’s clear that Java Card itself is flawed - and patching it, and distributing those patches, will take a lot more effort than rolling out Triple DES. Even if the holes can be easily fixed, the simple matter of the fact is that computers are intrinsically insecure - and now that a proof of concept with the potential for massive monetary gain has been demonstrated, it’s only a matter of time until more vulnerabilities are found.
(Image credit)
Thanks for sharing information.
ReplyDeleterecharge offers
videocontelecom offers new Customers the proposition will be available on Plan voucher (PV) priced at Rs 76, offering All Local Calls at 25P/min only for 6 months including Rs 63 Talk time; 1050 MB data for 3 month and 100 SMS free/day, with first 2 SMS of the day chargeable at rack rate only in Haryana.
Machine Learning Projects for Final Year machine learning projects for final year
DeleteDeep Learning Projects assist final year students with improving your applied Deep Learning skills rapidly while allowing you to investigate an intriguing point. Furthermore, you can include Deep Learning projects for final year into your portfolio, making it simpler to get a vocation, discover cool profession openings, and Deep Learning Projects for Final Year even arrange a more significant compensation.
Python Training in Chennai Project Centers in Chennai
Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training India . Nowadays Java has tons of job opportunities on various vertical industry.
ReplyDeleteMight want to compliment the author for composing this perfect article
ReplyDeletebest cell phone lookup review
Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks. best phone under 9000 with good camera
ReplyDeleteThis is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you. the sims mobile hack ios
ReplyDeleteThere is so many in this column that I could by no means experience perception of on my acknowledge. Your textual content offers lecturers gadgets to imagine about in an amazing street. Acknowledge you to your open information.
ReplyDeletePhone price in bd 2020
I feel like I’m often looking for interesting things to read about a variety of niches, but I manage to include your blog among my reads every day because you have compelling entries that I look forward to. Here’s hoping there’s a lot more amazing material coming! ipad sketch
ReplyDeleteNice site. On your blogs very interest and i will tell a friends. ipad template
ReplyDeleteYou ought to basically fantastic not to mention solid advice, which means notice: outdoor surveillance camera system
ReplyDeletehello i discovered your post and thought it was very informational likewise i suggest this site about repairing lap tops Click Here device mockups
ReplyDeleteSome really superb info , Sword lily I found this. android phone template
ReplyDeleteFirst, let’s kill off a genuine fabrication: You can not use a reverse cellular phone number lookup for totally free anywhere, anytime. phone mockup
ReplyDeleteoh that is great what about latest Mobile Phone Prices
ReplyDeleteThis way, it functions almost like a cell phone; as a matter of fact, many cell phones make use of SIM cards for the said purpose. the sims mobile hack ios 2020
ReplyDeleteYou’ve really written a very good quality article here. Thank you very much iphone screenshot mockup
ReplyDeleteI totally understand what you have explained. Actually, I browsed throughout your several other content articles and I do believe you are absolutely correct. Congrats with this particular blog. app store mock up
ReplyDeleteThank you for making the honest attempt to discuss this. I feel very strong about it and would like to learn more. If it’s OK, as you gain extra in depth knowledge, might you mind adding more articles very similar to this one with more information? It would be extraordinarily useful and useful for me and my friends. imac mockup free
ReplyDeleteYou actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! Best metaphysical store
ReplyDeleteKeep up the fantastic piece of work, I read few blog posts on this web site and I believe that your site is real interesting and has lots of great information. apple watch mockup free
ReplyDeleteThe when I just read a blog, I’m hoping that this doesnt disappoint me approximately this one. Get real, Yes, it was my method to read, but When i thought youd have something interesting to state. All I hear is a number of whining about something that you could fix should you werent too busy trying to find attention. apple watch template
ReplyDeleteYou have noted very useful details! PS. nice web site. “Disbelief in magic can force a poor soul into believing in government and business.” by Tom Robbins.. apple watch psd
ReplyDeleteNice to be visiting your blog once more, it continues to be months for me. Nicely this post that i’ve been waited for so lengthy. I want this article to total my assignment in the university, and it has same topic together with your post. Thanks, terrific share. Mobile Phone Price in Bangladesh
ReplyDeleteGood article , I am going to spend more time learning about this topic top app development companies
ReplyDeleteGreat! It sounds good. Thanks for sharing.. Find trusted hackers for hire online
ReplyDeleteKeep all the articles coming. I love reading through your things. Cheers. top web development companies
ReplyDeleteYay google is my king assisted me to find this outstanding site! . web development firms
ReplyDeleteHowdy! Do you know if they make any plugins to safeguard against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any suggestions? web development services company
ReplyDeleteHello! Good stuff, please keep us posted when you post again something like that! best logo design company
ReplyDeleteLooks like the writer has put a lot of hard work into this.
ReplyDeletespy phone app
Nice post. I was checking constantly this blog and I am impressed! Extremely helpful information specially the last part I care for such info a lot. I was seeking this particular information for a very long time. Thank you and good luck. instagram likes app download apk
ReplyDeleteThe secrets of why News and why it means a lot. branding san francisco
ReplyDeleteIt laborious to seek out knowledgeable folks on this matter, but you sound like you already know what you are talking about! Thanks ipad device template
ReplyDeleteYou are therefore cool! My partner and i do not assume I have learn anything like this prior to. So excellent to discover somebody with a few original thoughts on this subject matter. realy many thanks for beginning this up. this web site is something that’s needed on the web, someone using a bit of inspiration. beneficial project for delivering something a new comer to the internet! website design company san francisco
ReplyDeleteIf it's not too much trouble share more like that. How to recover my bitcoin passphrase
ReplyDeleteThank you for your site post. Velupe and I happen to be saving for just a new book on this subject and your article has made us all to save money. Your opinions really responded all our issues. In fact, above what we had thought of ahead of the time we came across your great blog. I no longer nurture doubts including a troubled mind because you totally attended to each of our needs here. Thanks iphone photoshop
ReplyDeleteOutstanding brief which post helped me alot. Give you thanks I looking for your details?–. iphone device template
ReplyDeleteThe next thing to check from a used smartphone is the screen surface and the sensitivity of its User Interface. small smartphone
ReplyDeleteExcellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. russian stealth sim
ReplyDeleteTherefore dissertation web-sites as a result of online to set-up safe and sound ostensibly taped in the website. russian sim panel
ReplyDeleteIt’s best to take part in a contest for one of the best blogs on the web. I will recommend this website! genuine hackers for hire online
ReplyDeleteNotwithstanding, you should realize that since you approach a photograph shop instructional exercise doesn't make you a specialist. A colossal piece of learning relies upon your gathering of the instructional exercise. Here are a few things that you ought to do so as to take advantage of a photograph shop instructional exercise: Professional graphic design
ReplyDeleteThis Article content is Really Unique and amazing. This article Really helpful and Explained very well.So i am Really Thankful to you for Sharing Keep it upMobile Phone Prices in Bangladesh
ReplyDeleteThat's the reason center on it's essential to precise ground moves well before writing. Might be attainable so that you can extra advisable text that way. LESCO Online Bill
ReplyDeleteThere are many sites on the internet that offers downloadable movies, some are even offering the latest movies:: فناوری اطلاعات
ReplyDeletepurpose, an inactive phone conveys a message on the entrance channel with the goal that the buy iphone 12
ReplyDeleteMarket projections for mobile health sensors will grow to $5.6 billion within the next 4 years - a 69% increase over the next few years. digital scales app
ReplyDeleteMagnificent merchandise via anyone, gentleman. I have recognize your current goods ahead of along with you are only extremely magnificent. My spouse and i actually similar to precisely what you have bought below, certainly similar to precisely what you are saying along with just how anyone declare the idea. Anyone help it become enjoyable so you even now care for to hold the idea smart. My spouse and i cant delay you just read much more via anyone. This can be really a new tremendous website. https://tipandroid.com/
ReplyDeleteDo you know what social engineering is? Social engineering is the act of manipulating people into doing actions or exposing confidential information. It's trickery or deception to gather information, fraud, or computer system access where in the hacker never comes face-to-face with the victim. Here are some of the social engineering techniques. how to hire a hacker
ReplyDeleteThanks for all your work you've done. We will support you onDigital Marketing Guest Post
ReplyDeleteHi, Neat post. There's a problem together with your site in web explorer, would check this?
ReplyDeleteIE still is the market chief and a good part of other people will miss your excellent writing
due to this problem.
Look at my page :: 강남안마
(mm)
Over all this gets us a score singapore Citizenship Application
ReplyDeleteGenerally these comprise of ear pieces with work in amplifiers that interface by means of Bluetooth (carefully) to your telephone. cell phone case suppliers
ReplyDeleteThank you for all your work! PSL 2020 Schedule
ReplyDeleteHI !!!!Travel Tips in PakistanThis looks like thoroughly perfect. Every one of these bit of material happen to be fabricated in conjunction, with loads of past material.Quad Biking Dubai I prefer the fact that considerably.Dubai Half-Day City Tour Packages...
ReplyDeleteWith all of the new trends in mobile applications, the spread of mobile payments and Internet-based services such as Google Pay, Apple Pay, you can pay by more such payment apps like PayPal, Bhim UPI, PhonePe, Paytm, Amazon Pay and Mobikwik. originally us mobile app developer
ReplyDeleteThanks you for sharing good information.Post Guerilla
ReplyDeleteThanks for sharing the information. Kindly click on the link given below to know the latest information.
ReplyDeleteClick Here
Click Here