Rooting SIM Cards

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Sunday July 21, 2013 @09:13AM from the protect-ya-neck dept.

SmartAboutThings writes "Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there's still one part of your mobile phone that remains safe and un-hackable: your SIM card. Yet after three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, and open up another route on mobile phones for surveillance and fraud."

36 of 73 comments (clear)

Min score:

Reason:

Sort:

Rooting? by agm · 2013-07-21 09:19 · Score: 1, Offtopic

"Rooting" has an entirely different meaning in new Zealand and Australia.
1. Re:Rooting? by kcmastrpc · 2013-07-21 09:21 · Score: 1
  
  what? like the fanny-pack?
2. Re:Rooting? by mynamestolen · 2013-07-21 09:32 · Score: 4, Funny
  
  either way, you're rooted
  
  --
  work in progress
3. Re:Rooting? by crutchy · 2013-07-21 09:33 · Score: 2, Funny
  
  if you happen to be talking about android with an aussie and you tell them they should "get rooted" you might end up with a fist sanga
4. Re:Rooting? by Anonymous Coward · 2013-07-21 11:28 · Score: 1
  
  Or worse, a vegemite one.
  Yes, I can hear the thunder.
  Land of plenty? I think not!
  The mistake most people make with vegemite is to use too much of the stuff....it's a strong flavour so you should spread it on VERY thin.
  By the way I'd come to the land of the free as a tourist, but I'm afraid of my body being violated by the TSA, or being shot by your overzealous police. I hear your education system is falling apart and some of you that can't spell think tourist == terrorist.
5. Re:Rooting? by ArchieBunker · 2013-07-21 15:29 · Score: 1
  
  Yeah don't fucking tell us or anything you tosser.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
6. Re:Rooting? by bkcallahan · 2013-07-22 04:09 · Score: 1
  
  Or a date :)
Re:subscription identity module by Cardcaptor_RLH85 · 2013-07-21 09:55 · Score: 1

Doesn't Verizon use SIM cards for their 4G LTE service?
The second link is the important one by Anonymous Coward · 2013-07-21 10:01 · Score: 5, Interesting

Yes, there actually is a JavaVM autonomously running inside the SIM card. Yes, the provider can install programs on the SIM card that interface with the phone through a standardized API. Yes, this hack enables the attacker to do the same. Yes, the JavaVMs are not secure and breaking out of the sandbox enables the attacker to read the master key which identifies the SIM. Yes, that means the attacker can run a software simulation of a SIM card with your secret SIM key and impersonate you vis-a-vis the network. Yes, all that is possible because some providers still deploy SIM cards that accept binary SMS which are signed with DES. Not 3DES, not AES, which are both in the standard as well, but 56 bit DE fucking S.
1. Re:The second link is the important one by TuringCheck · 2013-07-21 10:15 · Score: 5, Interesting
  
  Pretty much none of the major providers issue ancient SIMs with DES OTA signing. For the old cards never replaced they may just deactivate them in HLR and wait for subscribers to complain to support.
  On the other hand cheap Chinese SIMs are still issued in some countries. The only relief is that some of them don't support OTA at all...
2. Re:The second link is the important one by TechyImmigrant · 2013-07-22 04:49 · Score: 1
  
  So a crunchy exterior with a soft squishy middle.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Re:I'll tell you what helps too by johanw · 2013-07-21 10:25 · Score: 4, Insightful

Who cares? The providers have the encryption keys anyway, wether they are single DES or AES. So the government can get access too if they want them and do all kind of nasty tricks. Who else will use it? Some hacker who wants to call expensive paylines using your simcard doesn't buy $100,000 worth of equipment to pull it off only to gain $1000.
If it took a cryptographer three years by Anonymous Coward · 2013-07-21 10:41 · Score: 1

I think we're good
Re:Insane... AT&T actually ahead of the game? by Anonymous Coward · 2013-07-21 10:50 · Score: 1

AT&T doesn't appear to currently be vulnerable to this particular researcher's attack because they're using 3DES instead of DES. It's not like 3DES isn't vulnerable, and it's not like there can't be other as-yet undisclosed bugs in javacard.

This is why I will continue to use my trusted tin-cans-and-string private network.
Meanwhile at NSA HQ by EEPROMS · 2013-07-21 11:22 · Score: 4, Funny

Damn we have been busted.
Re:I'll tell you what helps too by flyingfsck · 2013-07-21 11:23 · Score: 2

Now listen there, don't befuddle this discussion with sound logic...

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
So ... by ultrasawblade · 2013-07-21 12:21 · Score: 3, Funny

how much longer until I can install Debian on my SIM card?
Re:I'll tell you what helps too by ae1294 · 2013-07-21 12:34 · Score: 2

It would be useful for Identity theft. A lot of services use a text message or call to reset passwords.... I can think of 5 other things but I'll keep them to myself as I wouldn't want to add anything to the discussion...
The title of this post... by BlogTheHaggis · 2013-07-21 12:40 · Score: 1

...was obviously not written by an Aussie... :-)
1. Re:The title of this post... by Merls+the+Sneaky · 2013-07-21 14:55 · Score: 1
  
  As an Australian I can safely say the best and fastest way to root a sim card is to stick it in the microwave oven for 10 seconds.
2. Re:The title of this post... by OhANameWhatName · 2013-07-21 18:55 · Score: 3, Funny
  
  the best and fastest way to root a sim card is to stick it in the microwave oven for 10 seconds
  I'd bet there's a bunch of folks on /. who can beat your record.
Re:I'll tell you what helps too by EmperorArthur · 2013-07-21 12:51 · Score: 1

If you've watched the gsm/gprs stuff that this guy and others have done you would know that it takes under a $1,000 dollars worth of equipment to emulate a cell tower. As soon as you do that, sending the binary SMS is easy. This enables a literal drive by attack. Furthermore, my guess is that cell providers which are using vulnerable SIM cards are also running vulnerable networks. The second link talks about some networks allowing anyone who knows how to send binary SMS.
My question is how easy is it to configure a rooted Android phone to block and warn me about these binary text messages.

--
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
Update a SIM? by manu0601 · 2013-07-21 13:47 · Score: 1

The whole idea of having an update feature in a SIM seems foolish to me. Do they have the same thing in credit cards that have a chip?
1. Re:Update a SIM? by Rich0 · 2013-07-21 14:22 · Score: 2
  
  The whole idea of having an update feature in a SIM seems foolish to me. Do they have the same thing in credit cards that have a chip?
  Yeah, I don't get it either. I also don't get why people do the same thing with NFC tags. I was looking at getting some and was really surprised to see that the phone is used to store data on the tag, and then later this data is used to trigger some kind of phone action. It would make a lot more sense to just stick a dumb GUID on the NFC chip and then just do a DB lookup on the phone to see what to do when it is scanned.
  Unnecessary complexity just leads to problems. The SIM card should just have a key burned into it with a simple program that uses it to negotiate session keys with the tower. Such a device could be designed to be extremely hard to penetrate - if you make the thing an updatable turing-complete machine it opens up all kinds of attacks from getting it to run arbitrary code to making it much harder to defeat differential power analysis.
2. Re:Update a SIM? by Anonymous Coward · 2013-07-21 18:46 · Score: 2, Informative
  
  There is a good and sound reason for writing the action instead of GUID on the tag: compatibility. When the NFC spec was being designed, operators were heavily lobbying towards a system you suggested where a GUID would cause a lookup. Unfortunately, the way they wanted to do was that *they* design what happens for the lookup, which would've resulted in a system that every NFC tag action would have been dependent on the operator that issued the tag and the phone. For example, going to an URL could force you go through an operator pay portal first. (A lookup table on the phone would be mighty complicated too; imagine "open this URL" action and how you would implement that with nothing but GUIDs.)
  However, a system was devised where the action is in plain text (figuratively speaking, the spec is binary but open) on the tag, so the phone does not need to consult anything and anyone to work.
3. Re:Update a SIM? by Rich0 · 2013-07-22 06:32 · Score: 1
  
  Oh, for something like a payment tag that makes a lot of sense. I don't like the idea of having to go to the NFC consortium or tag vendor to have to do a lookup.
  I was referring more to tags that people put on things and program only to affect their own phone. If I want to associate a particular tag with turning on WiFi, why is it necessary to store "turn on wifi" in the tag, and what stops somebody else from storing "wipe phone" on the tag while I'm away from it?
Re:No, SIM cards always have NSA backdoors by ArchieBunker · 2013-07-21 15:31 · Score: 2

You'd be much more credible if you didn't use the word "sheeple".

--
Only the State obtains its revenue by coercion. - Murray Rothbard
Millions? by wisnoskij · 2013-07-21 15:33 · Score: 3, Interesting

So a very small percentage of all SIM cards then.

--
Troll is not a replacement for I disagree.
1. Re:Millions? by 3247 · 2013-07-21 21:45 · Score: 1
  
  Actually, its "several millions" in Germany alone. The worldwide estimate is more like half a billion, according to this Golem.de article (in German).
  
  --
  Claus
3 years of research? by swillden · 2013-07-21 15:41 · Score: 4, Insightful

I clicked the link expecting to find something interesting and novel, perhaps something on par with Kocher's Differential Power Analysis attack, or better. But this guy spent three years to discover that there are a small number of ancient SIMs, not yet removed from service, which use 1DES for securing applet loading? Actually, I'm sure he did no such thing. Typical bad reporting, exacerbated by bad slashdot editing.
It looks to me like his talk is really about countermeasures to mitigate the risk for these ancient SIMs, on the assumption that they can't be replaced immediately. That's worthy of research and a talk, though it's hardly front-page material.

--
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Re:No, SIM cards always have NSA backdoors by DamonHD · 2013-07-21 20:51 · Score: 1

Agreed: but then GP is obviously wiser than *all* the rest of us, and seems to assume that all the rest of us have an Xbox or whatever to boot.
It must be painful to be so much better then everyone else.
Rgds
Damon

--
http://m.earth.org.uk/
What's important? by Chris+Mattern · 2013-07-22 01:14 · Score: 2

The one unhackable part of your phone is the one that, if hacked, would enable you to defraud the phone company. Shows where the security priorties are, eh?
Re:Insane... AT&T actually ahead of the game? by parkinglot777 · 2013-07-22 01:49 · Score: 1

Vulnerability or security research is done in order to ensure security. Regardless who funds the research, it is better to find out the vulnerabilities before black-hat hackers do. Nobody knows does NOT mean it is secure...
Re:I'll tell you what helps too by uninformedLuddite · 2013-07-22 11:33 · Score: 1

he found his arsehole with just one hand

--
The new right fascists are bilingual. They speak English and Bullshit.
False premise : by RockDoctor · 2013-07-22 22:23 · Score: 1

"Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there's still one part of your mobile phone that remains safe and un-hackable
Whoever wrote this - the summary or the original article - has a severe attack of journalistic diarrhoea. They can't distinguish between "unhacked" and "unhackable".
"Unhacked" means that no successful exploit has been reported ; "unhackable" means that an attack is impossible. I heard of an "unhackable" computing device once - it was kept switched off, sealed in a block of concrete which had been thrown over the side of a ship in the middle of the Pacific. It didn't respond to "ping" in any protocol. It's usefulness was limited.
So, now an exploit is reported against SIM cards. Not a surprise ; I'll have to go and RTFM, to determine if I need to turn my phone off (since it has never known any banking details or similar secrets, it's not a terribly useful platform to hack into).

--
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
1. Re:False premise : by RockDoctor · 2013-07-22 22:42 · Score: 1
  
  And having read TFA now, (the https://srlabs.de/rooting-sim-cards/ , not the regurgitated one) then the obvious call is the one suggested there : "2 Handset SMS firewall." Much more likely to be implemented on a useful time scale than either "1. Better SIM cards." or "3. In-network SMS filtering."
  So ... who is working on an Android firewall at the appropriate level? I see 48 demos, meetoos and other indistinguishable dreck.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"