John Murtagh, chief technology officer at Anam Technologies, explores the safety issues around SIM cards.
When you consider the ways in which to hack a mobile device the default thought would be to use the vast array of mobile applications that are present on today’s smartphones as the easiest access point. Many of the applications have been proven to have security flaws that hackers and criminals are able to break through, providing unrivalled access to the mobile user’s personal data and taking control of the device. However, white hacker KarstenNohlrevealed at Black Hat last month, a security conference attended by hackers revealing flaws in security protocols, that it is possible to break through the security of the physical SIM card in a mobile device, potentially putting millions of subscribers and users at risk
SIM cards, one of the most widely deployed technologies in the world with recent statistics confirming more than 7 billion cards are in use, has previously been granted halo status for not having any exploits known or made public. Yet this research has broken this myth by revealing a weakness that is associated with SIMs employing single Digital Encryption Standard (DES), particularly with 56-bit DES encryption, which allows a hacker to discover the devices authentication code by sending theSIM a binary SMS text message, masked as a communication from the user’s mobile operator, with a fake digital signature for the network. Whilst the research showed that most phones realised the signature was fake and cut contact, a quarter replied with an error message including an encrypted version of the SIMs Message Authentication Code (MAC) , which can be cracked within minutes. Once the hacker has this digital key the consequences of this kind of hack are unlimitedas it allows themto take virtual ownership of the SIM and infect it with a virus or malware, which could be used to remotely defraud the user. Mr. Nohl has also claimed that it is even possible to clone the SIM by getting access to the vital GSM security keys stored on the SIM.
So what should mobile operators do to stop their subscribers from being defrauded?
One positive that can be derived from this research is the belief that only one eighth of the world’s SIMs could be affected because most SIM vendors have replaced this legacy technology with Advanced Encryption Standard (AES) or 3-DES encryption, which is not affected by this flaw. Yet there is still a large number of legacy SIMs in the market with this single DES encryption, specifically in the developing and emerging markets. Those legacy SIMs are also not necessarily replaced when the user upgrades his phone, as it is usual practice to retain the SIM card for the new device. This means that these SIMs may currently be present in some of the latest handsets and provides an execution environment for applications that are downloaded onto the device. As a result, it could be feasible that the hackers could then penetrate the user’s social networking and banking apps, gaining greater access to sensitive personal information than just SMS’ or contact lists.
One way the Mobile Network Operators (MNOs) could negate this problem is to initiate a swap out of all legacy SIMs within their subscriber base to the latest encryption technology. However this measure presents a number of logistical challenges and would be both a costly and time intensive exercise for the operator, during which more SIMs could become infected and more data compromised. Naturally moving forward a MNO should ensured that all new SIMs issued to new or existing subscribers are not using the single DES encryption.
However a more pragmatic approach that could be implemented immediately and would protect all of the subscribers from this threat whilst avoiding the logistical nightmare of the previous approach is that of implementing an SMS Firewall mechanism.
A firewall normally invokes images of protecting physical computers and laptops from Spam and viruses and not that of protecting SIM cards. However as the SIM card is essentially made up of computing technology and the primary remote data interface is SMS, an SMSFirewall can be used to protect allSIMs belonging to a network operator, even when roaming. In this particular case the MNO can implement a block filter in its SMS Firewall node, which can subsequently block all SIM Over The Air (OTA) messages that are passing over unauthorised SMS transmission interfaces, such as international signalling links, SIM boxes and other open IP-based SMS access interfaces, which are often made available to Content Providers and SMS aggregators. By implementing this type of technology it provides security filtering features that detect scanning, spoofing and spam content, preventing it from reaching the subscriber’s mobile phone. These tools can monitor where the SMS traffic has originated from and where it is terminating in the MNOs network; it can effectively stop unwanted traffic and the subsequent misuse of customers’ mobile identities. As a result not only is the subscriber’s data protected but the MNO has retained its relationship with the subscriber and increased customer satisfaction.
Protecting the SIM
In light of this research the GSMA has also issued a series of guidelines to mobile operators and SIM vendors who could be at risk.What is key is for MNOs to implement a strategy quickly and effectively to block this potential threat and protect their subscribers. Karsten Nohl has stated that five of the operators he had spoken to have initiated a fix to the problem before his presentation commenced. So whilst is appears that some have already started this process of securing the SIM there are still millions in the market that are vulnerable to attack, with the subscribers themselves being unaware they are at risk.