Before we break out the tinfoil hats, let’s start with the basics. A SIM (Subscriber Identification Module) is the small card slides into the back of many smartphones on the market. It acts as on official identifier, telling your cell phone provider that your mobile phone belongs to you, and allows it to use your phone and data service.
According to the Security Research announcement, Nohl discovered a flaw in older versions of the DES encryption found on some SIM cards. Nohl was able to send a fake text message pretending to be a mobile carrier with a fake encryption code. In 75% of the tests, the phone correctly determined the message was not real and ignored it. In the remaining 25% of the cases, the phone responded to the fake text message with its encrypted digital signature. — a signature that gives a hacker the ability to send malware to infect the phone, or perform other unwanted actions.
So, what does this mean to you, and your smartphone? Let’s take a look at it closer.
One important thing to understand is that the announcement does not include full details of the flaw, and that the research won’t become available until the BlackHat security conference on July 31st. Until then, there’s going to be a lot of wild speculation on the full impact. Another important thing to note is that the hack is designed to exploit older DES encryption schemes, versus the more modern (and secure) triple-DES protection available on more than half of currently available SIM cards. And even amongst older DES encrypted SIMs, less than a quarter of them were vulnerable.
Nohl said he believes 750 million out of the billions of mobile phones used today may be vulnerable to this exploit. The GSM Association has been given information around the flaw, which has been passed on to mobile carriers. According to Nohl, it will take criminals at least six months to make use of the flaw, time that will be spent implementing fixes on the affected cards.
The important thing? Don’t panic. This will be addressed, and fixed. Check with your local service provider on whether this impacts you or not. As this story develops, we’ll keep you posted.