Wednesday, 24 July 2013
hack sim card
Best Blogbig breaking news: bs ek msg aur Mobile hackNohl, who will be presenting hisfindings at the Black Hat securityconference in Las Vegas on July 31,says his is the first hack of its kindin a decade, and comes after he andhis team tested close to 1,000 SIMcards for vulnerabilities, exploited bysimply sending a hidden SMS. Thetwo-part flaw, based on an oldsecurity standard and badlyconfigured code, could allow hackersto remotely infect a SIM with a virusthat sends premium textmessages (draining a mobile phonebill), surreptitiouslyre-direct andrecord calls, and — with the rightcombination of bugs — carry outpayment system fraud.Payment fraud could be a particularproblem for mobile phone users inAfrica, where SIM-card basedpayments are widespread. Thedeployment of so-called NFCpayment technology, already slow totake off , could also be at risk, Nohlsays, as well as the ability forcarriers to track charges to eachcaller’s account.There’s no obvious pattern to theflaw beyond the premise of an olderencryption standard. “Differentshipments of SIM cards either have[the bug] or not,” says Nohl, who ischief scientist at risk managementfirm Security Research Labs. “It’svery random.”In his study, Nohl says just under aquarter of all the SIM cards hetested could be hacked, but giventhat encryption standardsvary widely between countries,he estimates an eighth of theworld’s SIM cards could bevulnerable, or about half a billionmobile devices.Nohl, whowas profiled by Forbes’ AndyGreenberg in 2011 for his work onbreaking mobile encryptionstandards, believes it unlikely thatcyber criminals have already foundthe bug. Now that word of thevulnerability is out, he expects itwould take them at least six monthsto crack it, by which time thewireless industry willhave implemented available fixes.That effort may already be underway.Nohl says at least two large carriershave already tasked their staff withfinding a patch for the SIMvulnerability, which they will sharewith other operators through thewireless trade body GSMA.“Companies are surprisingly open tothe idea of working cooperatively onsecurity topics because thecompetition is somewhere else,” saysNohl. “The competition is organizedcrime, not AT&T versus T-Mobile.” (The situation in similarlyin finance, where payment serviceslike MasterCard, Visa, and AmericanExpress will work together underindustry association EMVco toimprove security standards for smartcards.)The market for SIMs is almostentirely fed by mobile carriers, andsupplied by two leading globalvendors, Gemalto and OberthurTechnologies. Both have profitedheavily from the huge growth inmobile handsets: ten years agothere were 1 billion SIM cardsworldwide, and today there are morethan 5 billion, says ABI Researchanalyst John Devlin, though themarket is slowly reaching a plateau.SIMs are thought to be one of themost secure parts of a phone, headded, and as the carrier’s property,are “key to their relationshipbetween you and I, the subscriber.”Vodafone would not answerquestions about the level ofencryption its SIM cards used, andreferred all media questions toGSMA. Both Verizon and AT&T saidthey knew of Nohl’s research, butsaid their SIM profiles were notvulnerable to the flaw. AT&T addedthat it had used SIMs with tripleData Encryption Standards (3DES) foralmost a decade; Verizon did notspecify why its SIMs were notvulnerable.The London-based GSMA said it hadlooked at Nohl’s analysis andconcurred that “a minority of SIMsproduced against older standardscould be vulnerable.” It said it hadalready provided guidance tonetwork operators and SIM vendorswho could be impacted by the flaw.“There is no evidence to suggestthat today’s more secure SIMs, whichare used to support a range ofadvanced services, will be affected,”a spokesperson added.Nohl says that while AT&T andVerizon may benefit from robust SIMencryption standards, other carrierswill use straight Data EncryptionStandards (DES), guidelinesdeveloped in the 1970s that arefundamental to why he was able to“get root” on dozens of SIMs cards.“Give me any phone number andthere is some chance I will, a fewminutes later, be able to remotelycontrol this SIM card and even makea copy of it,” Nohl says.SIM cards are essentially mini-computers with their own operatingsystem and pre-installed software.To maintain security, many rely on acryptographic standard called DES(digital encryption standard) , whichwas invented by IBM in the 1970sand improved by the NSA. Somenetworks, like AT&T and the fourmajor carriers in Germany, havemoved away from using the oldversion of the standard, but othershave not. Though Nohl didn’tidentify a pattern to vulnerable SIMsin terms of manufacturers, the oneshe could hack all used the oldencryption standard.Key to the hack is Java Card, ageneral purpose programminglanguage used on 6 billion SIMcards. If operators need to updatesomething on your SIM, for instanceallowing interoperability with acarrier in another country, it willexecute the right Java Card programson your SIM by sending your mobilea binary SMS. This is a text messageyou will never see, sent through amethod called over-the-airprogramming (OTA).In early 2011, Nohl’s team startedtoying with the OTA protocoland noticed that when they used itto send commands to several SIMcards, some would refuse thecommand due to an incorrectcryptographic signature, while a fewof those would also put acryptographic signature on this errormessage.With that signature and using a wellknown cryptographic method calledrainbow tables, Nohl was able tocrack the encryption key on the SIMcard in about one minute. Carriersuse this key to remotely program aSIM, and it is unique to each card.“Anybody who learns the key of aparticular SIM can load anyapplication on the SIM he wants,including malicious code,” saysJasper Van Woudenberg, CTO NorthAmerica of smart-card security firmRiscure.“We had almost given up on theidea of breaking the most widelydeployed use of standardcryptography,” says Nohl, but it felt“great” to finally gain control of aSIM after many months ofunsuccessful testing.With the all-important (and till-nowelusive) encryption key, Nohl couldsend a virus to the SIM card, whichcould then send premium textmessages, collect location data, makepremium calls or re-route calls. Amalicious hacker could eavesdrop oncalls, albeit with the SIM ownerprobably noticing some suspiciously-slow connections.Nohl found a second bug. Unrelatedto the weak encryption key, it allowseven deeper hacking on SIMs and iscaused, Nohl says, by a mistake onthe part of SIM card manufacturers.Java Card uses a concept calledsandboxing, in which pre-installedprograms like a Visa or PayPal appare shielded from one another andthe rest of the SIM card. The termcomes from the idea of only allowingprograms to “play with their owntoys, in their own sandbox,” saysNohl. “This sandboxing mechanismis broken in the most widely-usedSIM cards.” The researcher says hefound a few instances where theprotocols on the SIM card allowedthe virus he had sent to a SIM, tocheck the files of a payment appthat was also installed on the card.The way this works is somewhatcomplex, but Nohl’s virus essentiallygave the infected Java software acommand it could not understand orcomplete – eg. asking for the 12thitem in a 10-item list, leading thesoftware to forgo basic securitychecks and granting the virus fullmemory access, or “root,” in cybersecurity parlance.In sum, a malicious hacker whowanted to use this method mightstart with a list of 100 phones. Theycould send a binary SMS to all ofthem, using a programmable cellphone connected to a computer.They might get 25 responses withcryptographic signatures, anddismiss the half that use a strongersecurity standard. From the rest,Nohl surmises they could crack theencryption key of perhaps 13 SIMcards, and send them a virus thatbreaks through the Java Cardsandbox barriers and reads paymentapp details, as well as the masterkey of the SIM card.Who’s to blame for this and who canfix it? Nohl says broken Javasandboxing is a shortcoming ofleading SIM card vendorslike Gemalto and Oberthur. Riscure’sVan Woudenberg agrees.Gemalto which made abouthalf its $2.5 bil
Labels:
hack
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment