Karsten Nohl, founder of Security Research Labs in Berlin, discovered an encryption flaw that could give cyber criminals a new attack vector for exploitation. The vulnerability gives hackers indiscriminate access to the digital key on the SIM card. Once inside, hackers can wantonly spy on calls, impersonate the owner and make purchases using stored credit data. This bad news is exacerbated by the fact that the recent NSA debacle is still fresh in peoples minds so everyone is concerned with security now.
The code flaw stems from the use of the Data Encryption Standard (DES), which is an antiquated but prevalent technology still in existence today.
DES was standardized in 1979 but was replaced because of major security issues. The key size is too small. DES uses a 56bit key which is simply too short to resist modern brute force attacks.
In 1998, the Electronic Frontier Foundation (EFF) actually designed a machine that broke DES code in just 56 hours. The EFF has done a good job finding security holes and acknowledging companies that protect user data – Yahoo earlier this month is a good example of that – but the thing that continues to mystify me is that, despite these glaring security holes, DES is still virtually ubiquitous.
Exactly how ubiquitous is it?
DES is actually operating on about three billion cellphones in use today; that’s half of the sum of global cell phones. On the flip side, more providers have sagaciously chosen to use stronger algorithms like triple DES (3DES) to protect user data; however, there are still millions using the old DES standard and even 3DES has it’s own set of problems.
The worse part? It only took Nohl two minutes to pull off the hack trick and he estimates that over 750 million phones may be susceptible to this vulnerability.
Nohl is planning to reveal the full details of his research at the Black Hat conference on August 1st in Las Vegas. In the meantime, he’s shared the results of his study with a London based organization in the mobile industry and exhorted the leaders to supplant DES with newer, safer standards instead.
If you’re using a SIM card older than 3 years old you could be vulnerable. This mobile security flaw reminds me about my article about the Android weakness that affects 99% of phones.
What do you think of all this? Are phone carriers going to wise up? Are hackers already exploiting this attack vector? Let me know in the comments.