Millions of SIM cards are running encryption that is easily crackable, leaving many devices exposed to mobile malware, researchers have warned.
Software updates and other over-the-air updates are often sent encrypted using a 1970s cipher known as the Data Encryption Standard (DES), which has been proven to be weak and dated, said German firm Security Research Labs.
All would-be hackers have to do is send a binary SMS to a device, which, in many cases, will respond with an error code carrying a cryptographic signature. Take a rainbow table to that signature, and a 56-bit DES key can be acquired.
To get malware on the device, an official-looking update can be sent to the device, asking the target to download a Java applet. That applet could let the attacker send text messages, change voicemail numbers or query phone location – all good things for a snoop.
Whilst the Java virtual machine on many SIM cards should prevent Java applets from getting wide access to the phone, two major SIM card vendors have insecure JVM implementations.
“A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card,” the security company wrote.
It’s the potential compromise of payment information that will concern many, as many moved payment information to SIMs because of their supposed security protections. This particular threat will have larger ramifications in markets with strong mobile payment industries, such as Africa.
Karsten Nohl, chief scientist at Security Research Labs, is due to present his findings at Blackhat later this month.
The UN’s International Telecommunications Union has been so concerned by the research it has decided to send out an alert to telecoms regulators and government agencies across 200 countries about the vulnerability, according to Reuters.
It is estimated as many as 750 million devices could be in danger.
What do you know about Internet security? Find out with our quiz!
With China tariff set at 145 percent, Amazon CEO admits third party sellers may pass…
Hundreds of staff within the Android, Chrome and Pixel teams at Alphabet's Google are reportedly…
After weeks of tariff chaos, China hits back at Donald Trump and raises tariffs on…
Executive at Chinese owned Swedish EV maker Polestar admits targetting fed up Tesla owners with…
Escalation of feud between Sam Altman and Elon Musk, after OpenAI confirms it is now…
Report from International Energy Agency (IEA) warns AI is set to drive surging electricity demand…