SIM Card Encryption Weaknesses Could Expose Millions

Millions of SIM cards are running encryption that is easily crackable, leaving many devices exposed to mobile malware, researchers have warned.

Software updates and other over-the-air updates are often sent encrypted using a 1970s cipher known as the Data Encryption Standard (DES), which has been proven to be weak and dated, said German firm Security Research Labs.

All would-be hackers have to do is send a binary SMS to a device, which, in many cases, will respond with an error code carrying a cryptographic signature. Take a rainbow table to that signature, and a 56-bit DES key can be acquired.

spy security mobile - Shutterstock © ostillCracking easy encryption

To get malware on the device, an official-looking update can be sent to the device, asking the target to download a Java applet. That applet could let the attacker send text messages, change voicemail numbers or query phone location – all good things for a snoop.

Whilst the Java virtual machine on many SIM cards should prevent Java applets from getting wide access to the phone, two major SIM card vendors have insecure JVM implementations.

“A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card,” the security company wrote.

It’s the potential compromise of payment information that will concern many, as many moved payment information to SIMs because of their supposed security protections. This particular threat will have larger ramifications in markets with strong mobile payment industries, such as Africa.

Karsten Nohl, chief scientist at Security Research Labs, is due to present his findings at Blackhat later this month.

The UN’s International Telecommunications Union has been so concerned by the research it has decided to send out an alert to telecoms regulators and government agencies across 200 countries about the vulnerability, according to Reuters.

It is estimated as many as 750 million devices could be in danger.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Amazon Joins Bidders To Acquire TikTok In US

But will Beijing or ByteDance allow sale? Amazon joins potential bidders for TikTok in US,…

14 hours ago

Elon Musk Dismisses Reports Of Imminent Departure From DOGE

Elon Musk dismisses report that Trump told cabinet that he expects Musk to leave his…

15 hours ago

Mark Zuckerberg Lobbies Trump To Avoid Antitrust Trial – Report

Mark Zuckerberg is reportedly lobbying President Donald Trump for a settlement to avoid antitrust trial…

17 hours ago

Bitcoin Slides To $81,000 In Trump Tariff Shock

As global markets reel from Trump's tariffs, the price of Bitcoin slides as investors seek…

18 hours ago

Amazon’s First Project Kuiper Satellites Slated For 9 April Launch

Rival for Starlink and OneWeb. United Launch Alliance slated to send 27 Kuiper satellites into…

20 hours ago

Trump’s Tariffs: Implications For Tech Sector

Semiconductor imports are free of Trump's tariff war, but concerns remain over imports of smartphones…

21 hours ago