Tuesday, July 23, 2013 by Andrew Conway
Security researcher Karsten Nohl of Security Research Labs in Germany recently announced a new vulnerability in older SIM cards. This allows a hacker to take over your phone to listen in on your phone calls or send SMS messages to premium rate numbers. The attacker sends an invalid binary SMS message to the phone, and in about a quarter of cases the phone responds with an error message signed with a DES encryption key.
DES is a method of encryption dating back to the 1970s. It is not used in recent SIM cards, but there are still many older cards in use. DES used 56-bit keys which could be managed by inexpensive chips available in the 1970s and 1980s. However, the shorter the key the less secure the encryption. In 1987, a computer that could break a DES key in a day would have cost $20,000,000. The chances are that the NSA had one then, but they are not saying! By 1993, that hypothetical cost was $1,000,000. In 1998, the EFF actually built a computer to do this for $250,000. By 2006, the cost was $10,000, and today you can do it in a few minutes with off-the-shelf hardware.
Once the attacker has the DES key of the SIM card, they can send apparently valid binary SMS messages to it. These can install Java applets which could read and send SMS messages, listen in on your phone calls, etc. Normally, SMS applets are supposed to be sandboxed, that is, they only have access to their own resources and not to any other apps. However, a separate bug in the version of Java running on SIM cards can allow apps to break out of the sandbox and access any resources on your phone. The hacker can even make a copy of your SIM card and install it in a different device. Anything done with it, including sending spam or premium rate SMS messages, will be billed to your account.
Nohl has said he expects it will take six months or more for criminals to learn how to take advantage of this attack. In Cloudmark’s experience, exploits such as this are taken up in weeks rather than months. We suspect that a number of successful spammers have already booked their tickets to Las Vegas later this month to hear Nohl discussing this exploit at the Black Hat Conference.
As it happens, Cloudmark was ahead of the curve on this one. Though we did not identify this particular attack, we did present a white paper to the GSMA (the mobile carriers association) earlier this year identifying binary SMS messages as a threat vector, and recommending one of the solutions that Nohl mentions in his blog post: whitelisting the genuine sources of binary SMS messages, and blocking all other sources, so that the spammers cannot send any binary messages to your phone. The Cloudmark Security Platform for Mobile Messaging already has this capability built in.