Feeds

Mobe networks hacked phones to fix SIM hijack flaw, says bug-finder

Bloke keeps schtum after JavaCard weakness exploited to squash it

Intelligent flash storage arrays

A terrifying weakness at the heart of global mobile phone security has turned into a damp squib: networks scrambled so fast to patch the flaw that the researcher behind the discovery isn't making the details public.

It's claimed five carriers pushed out fixes to their customers by exploiting the bug.

The flaw was supposed to leave millions of GSM handsets vulnerable to a hijacking attack carried in a simple SMS message. That attack exploited weak encryption, poor process control and an undisclosed JavaCard bug to take control of the SIM card and ultimately the handset. Only, it turns out the cryptography isn't weak, the process is controlled and the undisclosed flaw remains undisclosed.

The story broke last month, with headlines about hundreds of millions of phones being vulnerable to attack and more details promised at the Black Hat hacking conference when security researcher Karsten Nohl would reveal all.

Our own analysis - praised for its accuracy by Nohl - pointed out that the number of SIMs still using the relatively weak 56-bit DES cryptography was open to debate. Follow-up questions confirmed that European operators have moved to the stronger Triple DES, and anyone who's replaced a SIM in the last decade is probably safe. (Replacing every SIM would have turned into a financial nightmare for the networks.)

The poor process, which saw SIMs responding to a malformed SMS with a digitally signed error message that leaked sensitive data about the user, is another unknown - though in his testing Nohl discovered a good number of SIMs in the field still exhibiting this behaviour.

But the most interesting part of Nohl's research was the alleged flaw in JavaCard, which would allow an attacker to jump between software on the SIM normally separated by the hardware.

JavaCard is an OS, sharing only some syntax with the Java language. JavaCard is used on almost all SIMs, and a good proportion of credit cards too, and the separation it provides is central to the idea of having more than one function on a single chip: a SIM can contain an app for connecting to a GSM phone network using the subscriber's private key; an NFC pay-by-wave app with sensitive banking details; and an operator-provided show-my-prepaid-balance app - none of which can interact with each other for security and privacy reasons.

Nohl claimed to have broken the barrier between those apps, and that he would tell all at the Black Hat conference in Las Vegas this month. Instead he's told CNN that US operators have been so fast to issue a patch - based on his own work - that there's no point even discussing the discovered vulnerability and everyone can get back to their lives as usual.

"They [the mobile networks] are adopting hacking methods to make it more secure," Nohl was quoted as saying at a press conference. "Abusing the Java vulnerabilities to update the [SIM] card is the neatest outcome of this."

One might ask about other operators around the world, and how exactly the flaw was exploited in order to deliver a fix to the lucky US customers who no longer have to worry about it. If it weren't for Nohl's pedigree one might even wonder if the whole thing weren't the creation of a fevered imagination, or if he'd been lent on to play down the true risk.

But Nohl, of Security Research Labs in Germany, broke the GPRS session key and used a microscope to read the cryptographic key off a smartcard, so he knows his stuff and has proved willing to share it in the past. We've dropped him a line in the hope of getting more details about the vulnerability which isn't any more, but in the meantime feel free to stop panicking now. ®

Security for virtualized datacentres

More from The Register

next story
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
Surprise: if you work from home you need the Internet
Buffer-rage sends Aussies out to experience road rage
EE buys 58 Phones 4u stores for £2.5m after picking over carcass
Operator says it will safeguard 359 jobs, plans lick of paint
MOST iPhone strokers SPURN iOS 8: iOS 7 'un-updatening' in 5...4...
Guess they don't like our battery-draining update?
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.