Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rooting SIM Cards

Posted by samzenpus on from the protect-ya-neck dept.

SmartAboutThings writes "Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there's still one part of your mobile phone that remains safe and un-hackable: your SIM card. Yet after three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, and open up another route on mobile phones for surveillance and fraud."

16 of 73 comments (clear)

  1. Re:Rooting? by mynamestolen · · Score: 4, Funny

    either way, you're rooted

    --
    work in progress
  2. Re:Rooting? by crutchy · · Score: 2, Funny

    if you happen to be talking about android with an aussie and you tell them they should "get rooted" you might end up with a fist sanga

  3. The second link is the important one by Anonymous Coward · · Score: 5, Interesting

    Yes, there actually is a JavaVM autonomously running inside the SIM card. Yes, the provider can install programs on the SIM card that interface with the phone through a standardized API. Yes, this hack enables the attacker to do the same. Yes, the JavaVMs are not secure and breaking out of the sandbox enables the attacker to read the master key which identifies the SIM. Yes, that means the attacker can run a software simulation of a SIM card with your secret SIM key and impersonate you vis-a-vis the network. Yes, all that is possible because some providers still deploy SIM cards that accept binary SMS which are signed with DES. Not 3DES, not AES, which are both in the standard as well, but 56 bit DE fucking S.

    1. Re:The second link is the important one by TuringCheck · · Score: 5, Interesting

      Pretty much none of the major providers issue ancient SIMs with DES OTA signing. For the old cards never replaced they may just deactivate them in HLR and wait for subscribers to complain to support.
      On the other hand cheap Chinese SIMs are still issued in some countries. The only relief is that some of them don't support OTA at all...

  4. Re:I'll tell you what helps too by johanw · · Score: 4, Insightful

    Who cares? The providers have the encryption keys anyway, wether they are single DES or AES. So the government can get access too if they want them and do all kind of nasty tricks. Who else will use it? Some hacker who wants to call expensive paylines using your simcard doesn't buy $100,000 worth of equipment to pull it off only to gain $1000.

  5. Meanwhile at NSA HQ by EEPROMS · · Score: 4, Funny

    Damn we have been busted.

  6. Re:I'll tell you what helps too by flyingfsck · · Score: 2

    Now listen there, don't befuddle this discussion with sound logic...

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  7. So ... by ultrasawblade · · Score: 3, Funny

    how much longer until I can install Debian on my SIM card?

  8. Re:I'll tell you what helps too by ae1294 · · Score: 2

    It would be useful for Identity theft. A lot of services use a text message or call to reset passwords.... I can think of 5 other things but I'll keep them to myself as I wouldn't want to add anything to the discussion...

  9. Re:Update a SIM? by Rich0 · · Score: 2

    The whole idea of having an update feature in a SIM seems foolish to me. Do they have the same thing in credit cards that have a chip?

    Yeah, I don't get it either. I also don't get why people do the same thing with NFC tags. I was looking at getting some and was really surprised to see that the phone is used to store data on the tag, and then later this data is used to trigger some kind of phone action. It would make a lot more sense to just stick a dumb GUID on the NFC chip and then just do a DB lookup on the phone to see what to do when it is scanned.

    Unnecessary complexity just leads to problems. The SIM card should just have a key burned into it with a simple program that uses it to negotiate session keys with the tower. Such a device could be designed to be extremely hard to penetrate - if you make the thing an updatable turing-complete machine it opens up all kinds of attacks from getting it to run arbitrary code to making it much harder to defeat differential power analysis.

  10. Re:No, SIM cards always have NSA backdoors by ArchieBunker · · Score: 2

    You'd be much more credible if you didn't use the word "sheeple".

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  11. Millions? by wisnoskij · · Score: 3, Interesting

    So a very small percentage of all SIM cards then.

    --
    Troll is not a replacement for I disagree.
  12. 3 years of research? by swillden · · Score: 4, Insightful

    I clicked the link expecting to find something interesting and novel, perhaps something on par with Kocher's Differential Power Analysis attack, or better. But this guy spent three years to discover that there are a small number of ancient SIMs, not yet removed from service, which use 1DES for securing applet loading? Actually, I'm sure he did no such thing. Typical bad reporting, exacerbated by bad slashdot editing.

    It looks to me like his talk is really about countermeasures to mitigate the risk for these ancient SIMs, on the assumption that they can't be replaced immediately. That's worthy of research and a talk, though it's hardly front-page material.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  13. Re:Update a SIM? by Anonymous Coward · · Score: 2, Informative

    There is a good and sound reason for writing the action instead of GUID on the tag: compatibility. When the NFC spec was being designed, operators were heavily lobbying towards a system you suggested where a GUID would cause a lookup. Unfortunately, the way they wanted to do was that *they* design what happens for the lookup, which would've resulted in a system that every NFC tag action would have been dependent on the operator that issued the tag and the phone. For example, going to an URL could force you go through an operator pay portal first. (A lookup table on the phone would be mighty complicated too; imagine "open this URL" action and how you would implement that with nothing but GUIDs.)

    However, a system was devised where the action is in plain text (figuratively speaking, the spec is binary but open) on the tag, so the phone does not need to consult anything and anyone to work.

  14. Re:The title of this post... by OhANameWhatName · · Score: 3, Funny

    the best and fastest way to root a sim card is to stick it in the microwave oven for 10 seconds

    I'd bet there's a bunch of folks on /. who can beat your record.

  15. What's important? by Chris+Mattern · · Score: 2

    The one unhackable part of your phone is the one that, if hacked, would enable you to defraud the phone company. Shows where the security priorties are, eh?