Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

SIM card flaw affects millions of phones - fixedByVonnie

SIM card flaw affects millions of phones

Karsten Nohl, founder of Security Research Labs in Berlin, discovered an encryption flaw that could give cyber criminals a new attack vector for exploitation.  The vulnerability gives hackers indiscriminate access to the digital key on the SIM card.  Once inside, hackers can wantonly spy on calls, impersonate the owner and make purchases using stored credit data.  This bad news is exacerbated by the fact that the recent NSA debacle is still fresh in peoples minds so everyone is concerned with security now.

The code flaw stems from the use of the Data Encryption Standard (DES), which is an antiquated but prevalent technology still in existence today.

DES was standardized in 1979 but was replaced because of major security issues.  The key size is too small.  DES uses a 56bit key which is simply too short to resist modern brute force attacks.

In 1998, the Electronic Frontier Foundation (EFF) actually designed a machine that broke DES code in just 56 hours.  The EFF has done a good job finding security holes and acknowledging companies that protect user data – Yahoo earlier this month is a good example of that – but the thing that continues to mystify me is that, despite these glaring security holes, DES is still virtually ubiquitous.

Exactly how ubiquitous is it?

DES is actually operating on about three billion cellphones in use today; that’s half of the sum of global cell phones.  On the flip side, more providers have sagaciously chosen to use stronger algorithms like triple DES (3DES) to protect user data; however, there are still millions using the old DES standard and even 3DES has it’s own set of problems.

The worse part? It only took Nohl two minutes to pull off the hack trick and he estimates that over 750 million phones may be susceptible to this vulnerability.

Nohl is planning to reveal the full details of his research at the Black Hat conference on August 1st in Las Vegas.  In the meantime, he’s shared the results of his study with a London based organization in the mobile industry and exhorted the leaders to supplant DES with newer, safer standards instead.

If you’re using a SIM card older than 3 years old you could be vulnerable.  This mobile security flaw reminds me about my article about the Android weakness that affects 99% of phones.

What do you think of all this?  Are phone carriers going to wise up?  Are hackers already exploiting this attack vector?  Let me know in the comments.


Connect with Vonnie on Twitter

Posted in Mobile, News, Smartphones Tagged with: