Monday 22 July 2013

(22-07-2013) Another BYOD Worry: Hacking Via SIM-Card Vulnerability Bus1nessN3wz


Another BYOD Worry: Hacking Via SIM-Card Vulnerability Jul 22nd 2013, 11:16

SIM cards
Today's Alphabet Soup: SIM DES SMS GSM UN ITU NSA OTOH.

Karsten Nohl, a German security researcher, warns that more than half a billion mobile phones could be vulnerable to attack. He's found a serious flaw in more than 12% of Subscriber Identity Modules (SIM cards). How can you ensure your BYOD users are safe?

On the one hand, it's incredible to think this vulnerability's been lurking unseen for decades.

On The Other Hand, mobile operators promise they're on top of the problem.
Forbes' Parmy Olson broke the story:

After three years of research…Nohl claims to have finally found…flaws that could affect millions of SIM cards, and open up another route…for surveillance and fraud. [He] says his is the first hack of its kind in a decade. [It's] exploited by simply sending a hidden SMS [which] could allow hackers to remotely infect a SIM with a virus.

Nohl…estimates an eighth of the world's SIM cards could be vulnerable, or about half a billion mobile devices. … Nohl says at least two large carriers have already tasked their staff with finding a patch…which they will share with other operators. [He blames] a shortcoming of leading SIM card vendors like Gemalto and Oberthur [saying it] "affects every operator who uses cards from two main vendors," including carriers like AT&T and Verizon who use robust encryption.

As mobile payments [become popular] Nohl's research has shown…security on SIMs could be more challenging than…originally thought.

 

What's the implication? Jeremy Kirk has the enterprise viewpoint:

Nohl, an expert cryptographer with Security Research Labs, [tricked] mobile phones into granting access to the device's location and SMS functions and allowing changes to a person's voicemail number.

…an attacker could force the SIM to download…programs that [for example] "send SMS, change voicemail numbers, and query the phone location."

 

Why's that important? The horse's mouth, Karsten Nohl, tells us:

SIM cards are the de facto trust anchor of mobile devices. [They] protect the mobile identity of subscribers…and increasingly store payment credentials. … SIMs may well be the most widely used security token in the world. [This vulnerability] poses a critical hacking risk.

Cards need to use state-of-art cryptography [but] the years needed to replace vulnerable legacy cards warrant supplementary defense [such as an] SMS firewall [and] network SMS filtering.

 

As Jim Finkle reports, the U.N. is sticking its nose in the situation:

A United Nations group that advises nations on cybersecurity plans to send out an alert. … The U.N.'s Geneva-based International Telecommunications Union, which has reviewed the research, described it as "hugely significant," [and will] notify telecommunications regulators and other government agencies in nearly 200 countries.

Cracking SIM cards has long been the Holy Grail of hackers. … Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone. …users in Africa could be among the most vulnerable because banking is widely done via mobile payment systems. … All types of phones are vulnerable.

 

And Andrew Dodson quips, "Don't give the NSA any ideas":

It's not just the U.S. government's National Security Agency you have to worry about eavesdropping on your phone calls.

Americans are already on edge about the NSA's snooping around their phone records and emails. … A security flaw like this could be another tipping point in the privacy debate.

 

Meanwhile, Lawrence D'Oliveiro thinks the industry has been criminally negligent:

The Only Surprise is that anybody is still relying on…DES encryption.

…in the 1980s [it] was already known to have weaknesses even back then. That anybody might still be using it this century…is tantamount to criminal negligence.

 

Image credit: Petr Kratochvil (public domain)

Now Read This (more from NetAppVoice)
Secure BYOD: Radical Mobility Thoughts
BYOD: Dr. Jekyll Or Mr. Hyde?
Google Plus Boosts Executive Careers (Here's How)
Read more from our talented writers

 


This is OTOH: curated, fluff-free news and commentary, for people too busy to sift the gold from the sludge. Richi Jennings is an independent analyst, writer and editor. You can Google Google-Plus him at +richij, follow him as @RiCHi on Twitter, pretend to be his friend at Facebook.com/richij or just use boring old email: fs@richij.com. Richi publishes a full profile and disclosure of his industry affiliations.

YOUR COMMENT