SIM Cards Have Finally Been Hacked, And The Flaw Could Affect Millions Of Phones
Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there’s still one part of your mobile phone that remains safe and un-hackable: your SIM card.
There’s no obvious pattern to the flaw beyond the premise of an older encryption standard. “Different shipments of SIM cards either have [the bug] or not,” says Nohl, who is chief scientist at risk management firm Security Research Labs. “It’s very random.”
Nohl, who was profiled by Forbes’ Andy Greenberg in 2011 for his work on breaking mobile encryption standards, believes it unlikely that cyber criminals have already found the bug. Now that word of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes.
That effort may already be underway. Nohl says at least two large carriers have already tasked their staff with finding a patch for the SIM vulnerability, which they will share with other operators through the wireless trade body GSMA.
“Companies are surprisingly open to the idea of working cooperatively on security topics because the competition is somewhere else,” says Nohl. “The competition is organized crime, not AT&T versus T-Mobile.” (The situation in similarly in finance, where payment services like MasterCard, Visa, and American Express will work together under industry association EMVco to improve security standards for smart cards.)
The market for SIMs is almost entirely fed by mobile carriers, and supplied by two leading global vendors, Gemalto and Oberthur Technologies. Both have profited heavily from the huge growth in mobile handsets: ten years ago there were 1 billion SIM cards worldwide, and today there are more than 5 billion, says ABI Research analyst John Devlin, though the market is slowly reaching a plateau. SIMs are thought to be one of the most secure parts of a phone, he added, and as the carrier’s property, are “key to their relationship between you and I, the subscriber.”
Vodafone would not answer questions about the level of encryption its SIM cards used, and referred all media questions to GSMA. Both Verizon and AT&T said they knew of Nohl’s research, but said their SIM profiles were not vulnerable to the flaw. AT&T added that it had used SIMs with triple Data Encryption Standards (3DES) for almost a decade; Verizon did not specify why its SIMs were not vulnerable.
The London-based GSMA said it had looked at Nohl’s analysis and concurred that “a minority of SIMs produced against older standards could be vulnerable.” It said it had already provided guidance to network operators and SIM vendors who could be impacted by the flaw. “There is no evidence to suggest that today’s more secure SIMs, which are used to support a range of advanced services, will be affected,” a spokesperson added.
Nohl says that while AT&T and Verizon may benefit from robust SIM encryption standards, other carriers will use straight Data Encryption Standards (DES), guidelines developed in the 1970s that are fundamental to why he was able to “get root” on dozens of SIMs cards.
“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl says.
SIM cards are essentially mini-computers with their own operating system and pre-installed software. To maintain security, many rely on a cryptographic standard called DES (digital encryption standard), which was invented by IBM in the 1970s and improved by the NSA. Some networks, like AT&T and the four major carriers in Germany, have moved away from using the old version of the standard, but others have not. Though Nohl didn’t identify a pattern to vulnerable SIMs in terms of manufacturers, the ones he could hack all used the old encryption standard.
Key to the hack is Java Card, a general purpose programming language used on 6 billion SIM cards. If operators need to update something on your SIM, for instance allowing interoperability with a carrier in another country, it will execute the right Java Card programs on your SIM by sending your mobile a binary SMS. This is a text message you will never see, sent through a method called over-the-air programming (OTA).
In early 2011, Nohl’s team started toying with the OTA protocol and noticed that when they used it to send commands to several SIM cards, some would refuse the command due to an incorrect cryptographic signature, while a few of those would also put a cryptographic signature on this error message.
With that signature and using a well known cryptographic method called rainbow tables, Nohl was able to crack the encryption key on the SIM card in about one minute. Carriers use this key to remotely program a SIM, and it is unique to each card.
“Anybody who learns the key of a particular SIM can load any application on the SIM he wants, including malicious code,” says Jasper Van Woudenberg, CTO North America of smart-card security firm Riscure.
“We had almost given up on the idea of breaking the most widely deployed use of standard cryptography,” says Nohl, but it felt “great” to finally gain control of a SIM after many months of unsuccessful testing.
With the all-important (and till-now elusive) encryption key, Nohl could send a virus to the SIM card, which could then send premium text messages, collect location data, make premium calls or re-route calls. A malicious hacker could eavesdrop on calls, albeit with the SIM owner probably noticing some suspiciously-slow connections.
Nohl found a second bug. Unrelated to the weak encryption key, it allows even deeper hacking on SIMs and is caused, Nohl says, by a mistake on the part of SIM card manufacturers. Java Card uses a concept called sandboxing, in which pre-installed programs like a Visa or PayPal app are shielded from one another and the rest of the SIM card. The term comes from the idea of only allowing programs to “play with their own toys, in their own sandbox,” says Nohl. “This sandboxing mechanism is broken in the most widely-used SIM cards.” The researcher says he found a few instances where the protocols on the SIM card allowed the virus he had sent to a SIM, to check the files of a payment app that was also installed on the card.
The way this works is somewhat complex, but Nohl’s virus essentially gave the infected Java software a command it could not understand or complete – eg. asking for the 12th item in a 10-item list, leading the software to forgo basic security checks and granting the virus full memory access, or “root,” in cyber security parlance.
In sum, a malicious hacker who wanted to use this method might start with a list of 100 phones. They could send a binary SMS to all of them, using a programmable cell phone connected to a computer. They might get 25 responses with cryptographic signatures, and dismiss the half that use a stronger security standard. From the rest, Nohl surmises they could crack the encryption key of perhaps 13 SIM cards, and send them a virus that breaks through the Java Card sandbox barriers and reads payment app details, as well as the master key of the SIM card.
Gemalto which made about half its $2.5 billion revenue in 2012 selling SIM cards, said in an email to Forbes that its SIMs were “consistent with state-of-the-art and applicable security guidelines,” and that it had been working closely with GSMA and other industry bodies to look into Nohl’s research. Gemalto’s CEO Olivier Piou has said publicly that there are no security issues with mobile payments, and his company says on its website that SIM cards are “virtually impossible to crack.”
Despite this, Nohl believes badly-configured Java Card sandboxing “affects every operator who uses cards from two main vendors,” including carriers like AT&T and Verizon who use robust encryption standards. Are SIM cards with these 3DES standards vulnerable? Nohl suggests they might be, and that he’ll expound on the details at Black Hat.
“Carriers and SIM card manufacturers do need to step up their security game for when payments arrive,” says Van Woudenberg. Banks are slow and cautious with new technology as they wait for it be proven secure, he adds, but “the mobile world moves much faster, as time-to-market is for them more important.”
As mobile payments bring these two worlds together, Nohl’s research has shown the process of proving out security on SIMs could be more challenging than the key players originally thought.