SIM cards are the "de facto trust anchor" of mobile devices, Security Research Labs wrote in its most recent blog post. And yet, added the German firm, it's found a way, with just two Short Message Service (SMS) texts, to break into a mobile phone and steal information, listen in on calls and even make purchases.
SRL estimates that more than 7 billion SIM cards are in active use today and "many, if not most" rely on '70s-era technology that it found crackable in just days.
Once figured out, SRL founder Karsten Nohl told The New York Times in an interview reported July 21, the process can be accomplished in two minutes, from an everyday computer.
"We can remotely install software on a handset that operates completely independently from your phone," Nohl told the Times. "We can spy on you. We know your encryption keys for calls. We can ready your [SMSes]. More than just spying, we can steal data from the SIM card, your mobile identity, and charge your account."
Nohl found he was able to discover a SIM's digital key by sending an SMS text masquerading as one sent by the phone's wireless carrier. While most often the phones recognized that Nohl's phone was using a false signature and broke off the communication, reported the Times, 25 percent of the time the phones responded with an error message that included its digital signature—which was enough for Nohl to figure out the SIM's digital key.
Nohl and his colleagues owned the phones that the hack was tried on.
SRL plans to release the full findings of the two-year study it conducted with the GSM Association on Aug. 1 at the Black Hat security conference in Las Vegas.
In the blog post, however, it did offer three points of advice.
First, SRL wrote, SIM cards need to use state-of-the-art cryptography with "sufficiently long keys, should not disclose signed plaintexts to attackers and must implement secure Java virtual machines." While some cards already do, many still don't.
Second, including an SMS firewall on phones could address "other abuse scenarios."
Lastly, it advises that networks implement filtering practices.
"Remote attackers rely on mobile networks to deliver binary SMS to and from victim phones," the firm said in its post. "Such SMS should only be allowed from a few known sources, but most networks have not implemented such filtering yet."
The Times report said that Gemalto, a Dutch maker of SIM cards, has been working closely with the GSM Association and received an early outline of Nohl's report.
It added that Nohl said he doesn't plan to identify the operators whose SIM cards performed poorly in his study. But at the Chaos Communications Congress, a hacker event scheduled to take place in Germany in December, he does plan to publish a list of the SIM card security used by various operators.