hackers can gain access to mobile phones with old SIM cards. Worldwide mobile phone owners are affected up to half a billion. Who uses old maps, they should be replaced immediately. From Benedict Fuest
One Republic at the weekend has become vulnerability in the encryption of SIM cards for mobile phones worldwide affects up to half a billion mobile phone users. The International Telecommunication Union (ITU) will, according to U.S. media reports, so now more than 200 mobile operators worldwide officially warn against the use of SIM cards with the outdated DES encryption standard, and urge them to secure their wireless networks against hacker attacks on the phones of their customers .
German customers should not be affected by the hack rare to: Check the “world” answered the German Telekom and Vodafone and E-Plus, that employed by them cards are backed by recent standards for several years. Telefónica Germany (O2) check if customers are affected with old SIM cards, a spokeswoman said.
German users are reported to be at risk only if they are logged on with old cell phones with SIM cards of the first generation in unsecured foreign networks.
had discovered the gap in the Berlin security researcher Karsten Nohl. He had warned several months ago that mobile operators that millions of SIM cards hold a potentially serious loophole for attackers ready.
SMS as a gateway
The weakness lies in the technology due to which the mobile operator to update the maps on their networks or set: In the so-called silent SMS OTA (Over-the-Air ), companies can play some new software on the SIM card, query or update data network key. This SMS will not be displayed on the mobile phone of the user.
To make sure that the SIM card only accept OTA SMS, the network operator, this sign their control signals depending on your SIM card according to three different encryption standards. The catch: The oldest of the three standards, DES, originally from the 70s, it is no longer safe
A current, optimized decryption tasks on home PC requires only a few minutes by means of a pre-key table to crack the DES encryption of a target SIM. With the key – so Nohl explained in his blog – savvy hacker can send yourself authentically signed updates on the mobile phones of unsuspecting users, and copy about their SIM card data ??p>.
explosive access to cell phone
Then the attacker can spend their victims as in mobile networks themselves, their intercept calls and SMS or authenticate via the mobile phone. This is controversial because the mobile phone is now being used more and more often to the contactless payment or to receive SMS or online banking to hedge mail services such as Gmail using one-time passwords.
Worse, the SIMs are own little computer, and allow the installation of special mini-applications based on the Java programming language. Because the Java environment on SIM cards is also patchy, hackers can easily play your own programs on the card according to Nohl. These programs run with hidden, can forward the location or connection data of the victim to the hacker.
attacker could also use the stolen data call their own fee-based value-added services or send relevant SMS and driving in this way the mobile phone bill at the height of their victims.
particular in developing countries are also increasingly mobile credit than cash compensation. With a copied SIM hackers could easily transfer those credits to their own accounts.
developing countries particularly affected
Since in these countries also most likely outdated SIM technology is used, the vulnerability for users in the developing and emerging countries is particularly critical. Here, the mobile operators have to respond best to the warning of the ITU.
The German providers have reacted to the warning Nohl’s already a few weeks ago: now they filter all OTA SMS in their nets on authenticity. If the control-SMS are sent from an unknown device, and do not pass the reconciliation with internal databases, it is deleted and the sender is blocked immediately.
A Vodafone spokesman said that the operators also play automatically updates on all the cards. If a user searches for years to dig out an old SIM again and activate automatically once new software would receive without the gap.
Also GSM encryption cracked
Since the basic technology of mobile networks from the 70 – and 80-years comes the SIMs with DES technology are not the only weak point. Also, the GSM standard for encrypted transmission of telephone calls has long cracked, so calls can be relatively easy to listen to.
Security expert Nohl demonstrated in 2009 that it is possible to eavesdrop on telephone conversations with relatively simple means via the GSM network and locate the location of the phone. He had calculated together with other programmers with 40 commercially available computers after three months the corresponding key.
© Axel Springer AG 2013. All rights reserved