Karsten Nohl, an expert cryptographer with Security Research Labs, has found a new way to trick your mobiles into giving in security information like the users location, SMS functions and access to the users voicemail number. Nohl will be presenting his research on, "Rooting SIM cards" in the Black Hat security conference in the US on July 31.
According to a brief preview posted on Nohl's company blog: “The research has found that most SIM's support weak encryption from the 1970s called DES (Data Encryption Standard). The research found that it is easy to target mobiles with DES and discover the private key of the mobile.”
In his experiment, Nohl sent a binary code over SMS to a device with DES. The mobile could not run the message as the binary code wasn't properly cryptographically signed. The phone's SIM rejected the message and sent over an SMS with the error code which has the phone's encrypted 56-bit private key.
Once the company gets the private key of the phone, it is very easy to get the information from the mobile phone. Security Research Labs was able to access the key in less than two minutes through a regular computer with the help of a rainbow table.
The company outlined a scenario where using the SIM's private key, an attacker could download Java applets to the SIM. Through the applets the hackers would be able to send SMS, or change voicemail numbers and much more.
Security Research Labs also added that possible solutions for the problem include that the SIM cards have the latest cryptography technology and with the help of Java virtual machines the applets access can be restricted to certain information.
Source: Indian Express