DES vulnerability of SIM cards. Is there any reason for concern?


Yesterday an article was published on the hub : "750 million mobile phones are vulnerable to attackers because of insufficiently protected SIM cards." Habr was one of the many network resources that published information about the vulnerability found in SIM-cards. The news scattered lightning fast. At the request of "750 million SIM cards" google offers 159,000 results. In the article I will try to describe in more detail what threatens this vulnerability and is there any reason for concern.

Hacked 750 million mobile phones. Really?


My work is pretty closely connected with SIM cards, so yesterday I received more than a dozen links to various articles from my colleagues / friends / acquaintances that touched on this issue. Unfortunately, when journalists write articles on similar topics, they “slightly” distort the essence. This happens either by accident (due to the small number of specialists in this field who could give an expert assessment) or intentionally (in the pursuit of high ratings), but some articles are written so menacingly that any mobile phone user simply cannot help but there are reasons for concern.

Example No. 1
The screaming headline utro.ru reports that 750 million cell phones have already been hacked.


Example No. 2
vesti.ru reports that every fourth SIM-card can be infected with a virus.


Example No. 3
750 million SIM-cards are easy to crack by SMS - I doubt very much that there are many such craftsmen for whom it will be really easy.


In reality, the problem is not so terrible as reporters of respected publications try to tell us about this.

Some technical details


This is not a virus that infects SIM cards. The virus, in the first place, can multiply independently. In this case, when using the vulnerability, one SIM card cannot gain remote access to another SIM card, so this is not a virus, but a remote attack on the SIM card.

Remote attack is possible only on those cards that simultaneously meet the following conditions:
  1. Support for OTA (Over-the-air) is a technology that allows you to remotely control a SIM card by sending special binary messages to it. Using these messages, operators can
    • change the SIM-menu and record on the card new offers of content providers
    • change the network name that is displayed on the phone screen (some operators used this trick during rebranding)
    • write on the card a list of networks for priority registration in roaming, etc.
  2. SIM card supports PoR function . PoR (proof of receipt) is a function that, in response to an OTA message, sends the result of a command. In practice, not all SIM cards support this feature.
  3. OTA message is encrypted using DES algorithm

Reading SMS, sending SMS, or making calls from the victim’s SIM card is possible only if the card supports java card . Java card is a special programming language that allows you to create standard applications for SIM-cards.

The cost of SIM cards with Java support is slightly higher than the cost of SIM cards with the same amount of memory, but without java support. That is why many operators do not buy java cards.

How great is the danger and is it possible to avoid hacking?


There are three ways to protect against this attack:
  1. Malicious OTA messages can be filtered at the network level. A certain analog of Firewall is used, which, when passing messages through the SMS center, allows you to cut off SMS with characteristic features. Thus, malicious messages simply won’t be delivered to the victim’s number (SIM card).
  2. Update SIM cards using OTA messages. Depending on the type of card, the operator can remotely change the DES algorithm to 3DES on your SIM card, block the ability to install java applets on SIM, etc.
  3. Physical replacement of the SIM card with a newer SIM, which cannot be subjected to the described attack.

Fortunately for many SIM card holders, Karsten Noll is the so-called “white hacker.” After the vulnerability was discovered (about 3 months ago), Mr. Nolan reported it to the GSM association, and she, in turn, notified mobile operators. Thus, the operators had enough time to analyze a possible threat and take measures to prevent it.

Also popular now: