Feeds

Mobe SIM crypto hijack threatens millions: Here's HOW IT WORKS

You'll kick yourself when you know how

SANS - Survey on application security programs

Analysis A German researcher reckons he can take control of your phone's SIM card and hijack the handset by cracking the encryption on the device.

But he's not alone: network operators have long been able to do just that, and a careful look at how that's possible makes the long-standing security of GSM phone networks all the more remarkable.

GSM networks are secured by shared secrets. A unique cryptographic key is issued to each subscriber and embedded in their phone's SIM card; a copy of that key is held by the network allowing mutual authentication by symmetric encryption (the same key is used at both ends).

Despite successful assaults on other parts of the GSM infrastructure those private keys have remained beyond the grasp of hackers, at least until now.

Pedigree security researcher Karsten Nohl has apparently discovered two unrelated flaws in implementations of the GSM standard that (when combined) could leave millions of SIM cards vulnerable to attack. Such attacks could permit call interception, and threaten the security of NFC applications (such as pay by wave) just as the tech is on the cusp of going mainstream.

Getting the secret key off a SIM isn't easy - but increases in computing power have combined with poor implementations to create the first flaw exploited by Nohl, which reveals the secret key that should be known only to the network operator and the SIM.

Nohl's crack uses an SMS message addressed to the SIM, and unseen by the user. This is normal enough; these messages come in four classes (0-3) addressed to the user, the handset, the SIM, and a tethered device respectively. Class 0 is the one we all know and love, but Class 2 (addressed to the SIM) remains surprisingly popular even if the other classes are all but forgotten.

The most common Class 2 message contains changes to the list of preferred roaming partners, to reflect new deals between operators, but the Global Platform standard permits anything, even the entire operating system, to be changed using signed Class 2 messages.

Such radical updates are rare, but they have happened and are secured using that shared secret, so knowledge of the key confers significant power.

This should already be setting off alarm bells

Nohl's crack starts with a malformed Class 2 message. Anyone can send such a message using a software SMS Centre (SMSC), or even an old handset as some permitted a user-selected class. That message is rejected by the receiving SIM as it's not signed, usually the message is just discarded but some SIMs apparently respond with a digitally signed error message that can be used to reveal their secret key.

Digital signatures shouldn't reveal the keys used to sign them; that would defeat the object, but in this case it seems that some do.

The digital signature sent over with the error message is a one-way hash: a fixed-length summary of the message that is generated by the phone using the secret key.

This allows the receiver of the message to verify it is genuine and trustworthy: the receiver calculates a hash value using its copy of the secret key and the received message data. If that calculated value matches the hash included with the message then all is well - the secret keys at both ends must match.

But Nohl's team has a rainbow table to deduce the secret key from the signature.

The error message is a standard one - it doesn't change between handsets - so by generating a list of every possible key value, a rainbow table of every possible hash value can be calculated for this one particular message. So an attacker simply takes the signature from the phone and looks it up in the rainbow to discover the secret key.

Every bit of a key doubles the size of the rainbow table, and such techniques rapidly become impractical as keys get bigger, but some older SIMs are using 56-bit keys and old-style DES encryption which combines to make the rainbow technique viable, and where that happens the secret key can be quickly discovered.

Once you have the key, you can start signing your own command SMS messages to control a targeted mobile.

What can be done?

Operators can change the SIMs, and update the encryption, but users are surprisingly reluctant to slot a new SIM into their handsets - they become quite emotional about it, proud to be using decades-old chippery, which stalls upgrade programmes. It's also expensive - adding a dollar to the cost of the SIM may seem like a small deal, but when a network has 10 million customers it becomes a significant expense.

Quite how many SIMs are using 56DES we don't know; Kohl reckons to have tried a thousand over the last year or two and discovered a quarter are vulnerable. There's no easy way to discover if a specific SIM is using 56DES, the operators store the information along with the keys, but the SIM won't talk about the subject.

Armed with a key our miscreant can reprogram the SIM to do just about anything - redirect SMS messages, change the preferred network operator, run up enormous bills to premium-rate numbers and authenticate payments through services such as PayForIt. Modern SIMs can request an internet connection, furnished by the handset and generally without user interaction, through which our attacker can cause all sorts of mischief - though to get at the users' bank details he'll need Nohl's second flaw.

Almost all SIMs (and credit cards) use JavaCard, a relation of Java still owned by Oracle, but having little in common with the cross-platform interpreted language beyond a bit of syntax. JavaCard is an operating system, not a language, and one which keeps applications (Cardlets, in the parlance) separated so they can't talk to each other.

Nohl claims to have found a flaw in that separation, though he won't be making the details public until next month's Black Hat conference. Combining that flaw with possession of the secret key makes for a potent combination - pay-by-bonk applications, such as the one being launched by EE later this year, rely on the hitherto sacrosanct separation of JavaCard apps, so they'll be a good deal of interest in Nohl's talk from hat wearers of all colours.

GSM authentication, as opposed to encryption, has proved amazing resilient over the years. A fix for this problem will likely turn up pretty quickly with the ITU and GSMA falling over themselves to be associated with the solution, but if it needs replacement SIMs then that will be a longer process.

Operators should be quick to send out new SIM cards to customers still using 56DES, but the JavaCard vulnerability may prove harder to patch and we'll get you details of that just as soon as we can. ®

SANS - Survey on application security programs

More from The Register

next story
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
True optical zoom coming to HTC smartphone cameras
Time to ditch that heavy DSLR? Maybe in a year, year and a half
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Leaked photos may indicate slimmer next-generation iPad
Will iPad Air evolve into iPad Helium?
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.