Feeds

Mobe networks hacked phones to fix SIM hijack flaw, says bug-finder

Bloke keeps schtum after JavaCard weakness exploited to squash it

Providing a secure and efficient Helpdesk

A terrifying weakness at the heart of global mobile phone security has turned into a damp squib: networks scrambled so fast to patch the flaw that the researcher behind the discovery isn't making the details public.

It's claimed five carriers pushed out fixes to their customers by exploiting the bug.

The flaw was supposed to leave millions of GSM handsets vulnerable to a hijacking attack carried in a simple SMS message. That attack exploited weak encryption, poor process control and an undisclosed JavaCard bug to take control of the SIM card and ultimately the handset. Only, it turns out the cryptography isn't weak, the process is controlled and the undisclosed flaw remains undisclosed.

The story broke last month, with headlines about hundreds of millions of phones being vulnerable to attack and more details promised at the Black Hat hacking conference when security researcher Karsten Nohl would reveal all.

Our own analysis - praised for its accuracy by Nohl - pointed out that the number of SIMs still using the relatively weak 56-bit DES cryptography was open to debate. Follow-up questions confirmed that European operators have moved to the stronger Triple DES, and anyone who's replaced a SIM in the last decade is probably safe. (Replacing every SIM would have turned into a financial nightmare for the networks.)

The poor process, which saw SIMs responding to a malformed SMS with a digitally signed error message that leaked sensitive data about the user, is another unknown - though in his testing Nohl discovered a good number of SIMs in the field still exhibiting this behaviour.

But the most interesting part of Nohl's research was the alleged flaw in JavaCard, which would allow an attacker to jump between software on the SIM normally separated by the hardware.

JavaCard is an OS, sharing only some syntax with the Java language. JavaCard is used on almost all SIMs, and a good proportion of credit cards too, and the separation it provides is central to the idea of having more than one function on a single chip: a SIM can contain an app for connecting to a GSM phone network using the subscriber's private key; an NFC pay-by-wave app with sensitive banking details; and an operator-provided show-my-prepaid-balance app - none of which can interact with each other for security and privacy reasons.

Nohl claimed to have broken the barrier between those apps, and that he would tell all at the Black Hat conference in Las Vegas this month. Instead he's told CNN that US operators have been so fast to issue a patch - based on his own work - that there's no point even discussing the discovered vulnerability and everyone can get back to their lives as usual.

"They [the mobile networks] are adopting hacking methods to make it more secure," Nohl was quoted as saying at a press conference. "Abusing the Java vulnerabilities to update the [SIM] card is the neatest outcome of this."

One might ask about other operators around the world, and how exactly the flaw was exploited in order to deliver a fix to the lucky US customers who no longer have to worry about it. If it weren't for Nohl's pedigree one might even wonder if the whole thing weren't the creation of a fevered imagination, or if he'd been lent on to play down the true risk.

But Nohl, of Security Research Labs in Germany, broke the GPRS session key and used a microscope to read the cryptographic key off a smartcard, so he knows his stuff and has proved willing to share it in the past. We've dropped him a line in the hope of getting more details about the vulnerability which isn't any more, but in the meantime feel free to stop panicking now. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
'Serious flaws in the Vertigan report' says broadband boffin
Report 'fails reality test' , is 'simply wrong' and offers ''convenient' justification for FTTN says Rod Tucker
This flashlight app requires: Your contacts list, identity, access to your camera...
Who us, dodgy? Vast majority of mobile apps fail privacy test
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.