Slashdot Mirror
Rooting SIM Cards
SmartAboutThings writes "Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there's still one part of your mobile phone that remains safe and un-hackable: your SIM card. Yet after three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, and open up another route on mobile phones for surveillance and fraud."
"Rooting" has an entirely different meaning in new Zealand and Australia.
zomg free bonded 4G pipes everywhere for the next few months.
Mind blown...AT&T SIM cards are not vulnerable to this threat. At least that is one less thing I need to worry about.
yeah, someone should tell Verizon and Sprint about the issue with SIM Cards
Ha ha. I will be here all week :).
Yes, there actually is a JavaVM autonomously running inside the SIM card. Yes, the provider can install programs on the SIM card that interface with the phone through a standardized API. Yes, this hack enables the attacker to do the same. Yes, the JavaVMs are not secure and breaking out of the sandbox enables the attacker to read the master key which identifies the SIM. Yes, that means the attacker can run a software simulation of a SIM card with your secret SIM key and impersonate you vis-a-vis the network. Yes, all that is possible because some providers still deploy SIM cards that accept binary SMS which are signed with DES. Not 3DES, not AES, which are both in the standard as well, but 56 bit DE fucking S.
You're deriding Karsten Nohl of "Mifare Classic" and "we cracked GSM crypto" fame (and lots more, but these are the big ones that you probably heard about, and now this). I'm not usually a fan of appeal to authority, but seriously, have some respect. Not a serious researcher. What have you done lately?
Who cares? The providers have the encryption keys anyway, wether they are single DES or AES. So the government can get access too if they want them and do all kind of nasty tricks. Who else will use it? Some hacker who wants to call expensive paylines using your simcard doesn't buy $100,000 worth of equipment to pull it off only to gain $1000.
I think we're good
Actually skipped TFA in favour of the talk description. Really now, does the /. readership need forbes to explain this sort of thing to them?
The owners of Slashdot do keep feeding you crap about things being NSA proof, and please don't give me guff about that opinion being that of the author of the article. The articles promoted here are chosen for a (far from innocent) reason.
All standards vulnerable to US influence are compromised. Other nations don't care, because they spy on their citizens too. Indeed, frequently the NSA indirectly pays for much of the spying done by China and Russia.
Look, for you sheeple, this is how it goes. A few years back, the BBC had interviews with old codgers that once worked in Australia operating the giant, supposedly civilian, astronomical monitoring facilities. The point of the interview was to allow these old scumbags to boast about the fact that they all worked secretly under the "official secrets act", and frequently lied to astronomic publications about the nature of the objects they saw in space. If amateur astronomers noticed US missile tests, for instance, this group of scumbags would issue a press release STATING that the amateur spotter was an idiot, and they had confirmed it was just a shooting star or the like.
HERE'S MY POINT. The Russian government knew the truth. So did other foreign powers. The LIE wasn't aimed at them. It was aimed at YOU, the sheeple. And the Russian authorities NEVER use their knowledge to tell the sheeple of the West the truth. These authorities actually conspire with each other to keep each others secrets from the population of the nation doing the secret work.
The civilian facilities that monitor earthquakes operate under the same government control. Why? Because when a massive earthquake hits that has been caused by military engineering projects deep underground constructing this generation of nuclear survival shelters for the people that 'matter', the earthquake monitoring teams will lie, and state the earthquake was natural with an epicentre to deep to be man-made. No-one ever considers that telling the truth to the sheeple is a good idea. You tell the sheeple that which manipulates them in the most useful way possible.
Sheeple are the ultimate disposable asset. YOU are the ultimate disposable asset. The only thing preventing this fate is that local 'masters' need their sheeple in order to stand up to other local 'masters'. The 'one world' government some of you idiots dream about would end this situation, allowing the mass culling of surplus sheeple (as proposed by Bill Gates and his ilk) to begin in earnest. Gates and others have demanded that the elites should operate as one, and then reduce the number of sheeple to the smallest level sufficient to serve them properly.
PS NSA backdoors in SIM cards is of the smallest concern compared to threats like Google Glass, the Xbox One, and Gates' ultimate pedophile tool, his inBloom (that name is a pedophile pun) children database system.
Note that Sprint/Verizon 2G/3G CDMA phones do NOT have SIMs in them. Also, 4G phones have a new-style (U)SIM which should not be using DES.
Damn we have been busted.
Now listen there, don't befuddle this discussion with sound logic...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Why don't you do it big shit? You act like you know something. It seems that you don't.
how much longer until I can install Debian on my SIM card?
It would be useful for Identity theft. A lot of services use a text message or call to reset passwords.... I can think of 5 other things but I'll keep them to myself as I wouldn't want to add anything to the discussion...
...was obviously not written by an Aussie... :-)
If you've watched the gsm/gprs stuff that this guy and others have done you would know that it takes under a $1,000 dollars worth of equipment to emulate a cell tower. As soon as you do that, sending the binary SMS is easy. This enables a literal drive by attack. Furthermore, my guess is that cell providers which are using vulnerable SIM cards are also running vulnerable networks. The second link talks about some networks allowing anyone who knows how to send binary SMS.
My question is how easy is it to configure a rooted Android phone to block and warn me about these binary text messages.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
Sure the NSA has the *AMERICAN & UK* telco keys and can listen in, but it doesn't have *other*countries* keys. It lets them into more networks in foreign countries to spy on more people.
So they record half a billion phone calls from Germany, but that's a tiny fraction of the German calls. This would let them tap a few more. Government leaders, industry etc.
The whole idea of having an update feature in a SIM seems foolish to me. Do they have the same thing in credit cards that have a chip?
So a very small percentage of all SIM cards then.
Troll is not a replacement for I disagree.
I clicked the link expecting to find something interesting and novel, perhaps something on par with Kocher's Differential Power Analysis attack, or better. But this guy spent three years to discover that there are a small number of ancient SIMs, not yet removed from service, which use 1DES for securing applet loading? Actually, I'm sure he did no such thing. Typical bad reporting, exacerbated by bad slashdot editing.
It looks to me like his talk is really about countermeasures to mitigate the risk for these ancient SIMs, on the assumption that they can't be replaced immediately. That's worthy of research and a talk, though it's hardly front-page material.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
These bugs have been well known for over 5 years. I've been myself demonstrating to mobile network operators myself since 2008 how it is possible to send OTA network level SMS ME to ME without any notification to the user - these messages are by Phase 2 protocol directly passed to the SIM card. I could also remotely install STK app on SIM card and pop up message from the SIM. Trivial bugs well known among mobile network operators, it's just that not many people spoken about this publicy. Most operators anyway already disabled ME to ME network level SMS on their STPs (with message screening), so this attack is not possible on most networks.
The SMS that most people know are send to the Mobile Equipment (ME) and appear in the inbox of the phone. Another kind of SMS can be send to the SIM directly. Only the Mobile Operator should be able to send an SMS to the SIM (PID 0x7F, Network -> SIM). In practice is it possible on many networks to send a SMS from any mobile phone via the network to the SIM in another mobile phone (SIM -> SIM) without this SMS beeing firewalled by the network.
In networks where such SMS are correctly firewalled a SMS directly to the SIM can be send via direct access to an SMSC. There are many SMSC providers on the internet that offer raw access to the SMSC gateway via which SMS to the SIM can be send, but most of SMSC servers are not configured to forward correct APDU packets. [http://wiki.thc.org/gsm/simtoolkit].
I know pen-testers who demonstrated exploitation of this in black-box scenario, with app successfully installed on STK, remotely via mobile to mobile SMS.
No sure why this is news. Weakly secured sim cards have been in use since day 1. Security around these things has always been pretty slack.
The company I worked for back in mid 2000 discovered how easy it was to clone SIM's when developing their dual SIM switching product. It was a SIM Toolkit based SIM emulator that sat in front of one or more SIMs. During testing it became apparent that several carriers didn't even perform basic authentication checks, so it was possible to move the SIM to another phone and make calls/send text, while the emulator used cached auth data. Inbound calls and text went to the phone last registered to the HLR.
Since then we've had the situation where you could brute force Ki 50K samples and now this. Credit to the fact that you can remote clone a SIM.
If this ever become a wider issue, it would be trivial for the Carrier to block Binary SMS, which many do already as, with the the advent of smartphones, the SIM as an application platform is effectively dead.
The one unhackable part of your phone is the one that, if hacked, would enable you to defraud the phone company. Shows where the security priorties are, eh?
he found his arsehole with just one hand
The new right fascists are bilingual. They speak English and Bullshit.
Please for pete sake mod this UP
Whoever wrote this - the summary or the original article - has a severe attack of journalistic diarrhoea. They can't distinguish between "unhacked" and "unhackable".
"Unhacked" means that no successful exploit has been reported ; "unhackable" means that an attack is impossible. I heard of an "unhackable" computing device once - it was kept switched off, sealed in a block of concrete which had been thrown over the side of a ship in the middle of the Pacific. It didn't respond to "ping" in any protocol. It's usefulness was limited.
So, now an exploit is reported against SIM cards. Not a surprise ; I'll have to go and RTFM, to determine if I need to turn my phone off (since it has never known any banking details or similar secrets, it's not a terribly useful platform to hack into).
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"