SIM Cards Encryption Vulnerability: The Scope of the Problem

On July 31st at the Black Hat conference in Las Vegas, Security Research Lab’s (SRL) Karsten Nohl presented research on the SIM security flaw. Nohl experimentally demonstrated the vulnerability, which

On July 31st at the Black Hat conference in Las Vegas, Security Research Lab’s (SRL) Karsten Nohl presented research on the SIM security flaw. Nohl experimentally demonstrated the vulnerability, which allows for the remote cloning of millions of SIM cards.

What does it mean for users? Until cell phone companies detect two devices with the same identifier in the communication system, this could be considered espionage. In theory, this threatens about 500-750 million owners of SIM cards using DES (Data Encryption Standard), where Nohl discovered the flaw. DES is considered obsolete, which is why only 500-750 million users are at risk and not over six billion.

How big is the threat? Experts are not completely in agreement.

Each SIM card is a microcomputer with all the attributes – CPU, RAM, ROM, a memory chip to support encryption, an operating system and software, including ID keys. There are cards of different standards with different memory capacities and functionalities. There are cards with pre-installed additional applications (applets), such as SIM menus, telebank clients, etc. SIM card software is updated by means of an encrypted SMS, a method known as Over-The-Air Programming (OTA).

Nohl found the security flaw in the DES encryption keys; or rather he managed to crack them with the help of so-called rainbow tables.

“The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. A rainbow table resolves this plaintext-signature tuple to a 56-bit DES key within two minutes on a standard computer,” Nohl stated in his description of the hack.

Thus, the cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. “Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse,” read the statement from SRL. “In principle, the Java virtual machine should assure that each Java applet only accesses the predefined interfaces. The Java sandbox implementations of at least two major SIM card vendors, however, are not secure: a Java applet can break out of its interface and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity – IMSI [International Mobile Subscriber Identity], Ki [Subscriber Identification Key] – as well as payment credentials stored on the card.”

Therefore, the vulnerability allows the cloning of a SIM card and all information on it. With many users storing payment credentials on SIM cards, the problem is quite severe.

We should not underestimate or overestimate a threat like this. Firstly, this method of hacking is quite complicated; every script is not able to use it. Secondly, DES developed in the 1970s is considered obsolete. Over the past two years, Nohl has tested his method on around 1,000 cards across North America and Europe. DES is used in around three billion mobile SIMs worldwide, of which Nohl estimates 750 million are vulnerable to the attack. Many carriers use SIMs with stronger triple-DES encryption methods, which are not susceptible to Nohl’s method, and DES, in general, has been phased out in favor of AES (Advanced Encryption Standard). So, the estimated number may prove to be even less. The only potentially vulnerable cards are those that simultaneously support OTA, feature Proof of Receipt and have an OTA message encrypted by DES. Moreover, the vulnerable card must support Java and such SIMs are more expensive, so not many operators purchase them.

Nohl disclosed the flaw to the GSM Association three months ago. The GSMA informed SIM manufacturers and other companies involved in the situation and issued guidelines on how to fix the problem and avoid similar difficulties in the future.

The most effective precaution at the moment is substituting a SIM card for a new one. Mobile operators can remotely replace DES for more robust 3DES and disable the feature of installing and running Java applets on SIMs. This may have been done already as Nohl disclosed the flaw to the GSMA some time ago, and the mobile operators have had time to take action. The question is whether or not they took any action.

Nohl recommends installing a SMS firewall on a phone that will hinder receiving SMS from unauthorized sources. This method will not just secure attempts at exploiting the vulnerability, but will also solve several other problems associated with attempts at infecting handsets with malware via SMS.