The United Nations has issued a warning to all 750 million smartphone users around the world to be wary of the removable SIM card on their smartphones. A German research firm has discovered a flaw in the old encryption technology used to make the device operational, enough to make it susceptible to the illegal activities of hackers.
UN Issues Warning as Smartphone SIM Cards Can Now Be Hacked, About 750 Million Global Users At Risk
Karsten Nohl, a German researcher and founder of Berlin's Security Research Labs, has found a way to maneuver into a SIM's 56-bit data encryption standard (DES) digital key, which later on enabled him to covertly send and install a virus through a secret text message.
What's further creepy is that the fake carrier message prompts an automated response from 25 per cent of DES-based SIMs, thus revealing a card's 56-bit security key.
Mr Nohl said it only took him two minutes to perform and complete the hack. The consequences of the irregularity, when placed in the wrong hands, could be massive.
"These findings show us where we could be heading in terms of cybersecurity risks," Hamadoun Touré, secretary general of UN's Geneva-based International Telecommunications Union, said.
The GSMA, which represents nearly 800 mobile operators worldwide, said it had also reviewed the research.
"We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," Claire Cranton, GSMA spokeswoman, said.
Once a SIM card is penetrated, only the attacker knows how much fun can be done with the victimized device and its owner. Apart from snooting on texts, the attacker can even listen in on calls, use the card for fraud and tamper with it to send messages to premium message services.
"We can remotely install software on a handset that operates completely independently from your phone," the New York Times quoted the German researcher as saying.
"We can spy on you. We know your encryption keys for calls. We can read your SMS's. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."
Although more carriers have migrated to the stronger, triple-DES encryption methods, Mr Nohl said there are over three billion users who still use the DES-based SIM cards.
Using just a regular PC, Mr Nohl sent out fake messages pretending to be from the mobile carrier containing a false signature. Almost most of the smartphones with DES were able to correctly flag the fake signature and terminated the communication, still a number sent a message back, including its encrypted digital signature.