SIM card encryption flaw leaves phones open to remote hacking

Your Subscriber Identity Module, or SIM card in other words, is susceptible to remote hacking. With SIM card cloning being an issue that has been in the news now and again, most people are probably aware of this fact. And as far as regular folks are concerned, network operators do warn subscribers to avoid picking up calls from strange or unknown numbers. But here’s why you should be more concerned about this problem –

A recent report by Security Research Labs has some troubling things to reveal to all those who think the data on their NFC-capable smartphones with mobile wallet services are safe in their pockets. If not built to hoard payment details, SIM cards also guard the ‘mobile identity’ of the respective user and link handsets to their specific numbers. The point is that their extensibility (ability to be upgraded) via custom Java software is said to create a hacking opportunity for trouble makers.

SIM Card

Most modules apparently employ DES keys to deliver cryptographically-secured over-the-air (OTA) commands like software updates. An attacker can obtain the concerned 56-key DES OTA key by sending a binary SMS to a would-be victim’s phone and getting an error code conveying the required cryptographic signature, with the help of this flaw. The cracked DES code is the key which then unlocks the possibility of remotely cloning the SIM card, retrieving stored payment credentials, the user’s mobile identity and so on.

Since an estimated 7 billion SIM cards are said to be in use all across the globe, the ability to remotely hack into them could leave a worrying amount of personal data to open to exploitation. Hopefully, the SRLabs study which is set to be presented at BlackHat on July 31st and at OHM2013 on August 3rd, will force the right authorities to pay heed to the issue.