Feeds

Mobe networks hacked phones to fix SIM hijack flaw, says bug-finder

Bloke keeps schtum after JavaCard weakness exploited to squash it

3 Big data security analytics techniques

A terrifying weakness at the heart of global mobile phone security has turned into a damp squib: networks scrambled so fast to patch the flaw that the researcher behind the discovery isn't making the details public.

It's claimed five carriers pushed out fixes to their customers by exploiting the bug.

The flaw was supposed to leave millions of GSM handsets vulnerable to a hijacking attack carried in a simple SMS message. That attack exploited weak encryption, poor process control and an undisclosed JavaCard bug to take control of the SIM card and ultimately the handset. Only, it turns out the cryptography isn't weak, the process is controlled and the undisclosed flaw remains undisclosed.

The story broke last month, with headlines about hundreds of millions of phones being vulnerable to attack and more details promised at the Black Hat hacking conference when security researcher Karsten Nohl would reveal all.

Our own analysis - praised for its accuracy by Nohl - pointed out that the number of SIMs still using the relatively weak 56-bit DES cryptography was open to debate. Follow-up questions confirmed that European operators have moved to the stronger Triple DES, and anyone who's replaced a SIM in the last decade is probably safe. (Replacing every SIM would have turned into a financial nightmare for the networks.)

The poor process, which saw SIMs responding to a malformed SMS with a digitally signed error message that leaked sensitive data about the user, is another unknown - though in his testing Nohl discovered a good number of SIMs in the field still exhibiting this behaviour.

But the most interesting part of Nohl's research was the alleged flaw in JavaCard, which would allow an attacker to jump between software on the SIM normally separated by the hardware.

JavaCard is an OS, sharing only some syntax with the Java language. JavaCard is used on almost all SIMs, and a good proportion of credit cards too, and the separation it provides is central to the idea of having more than one function on a single chip: a SIM can contain an app for connecting to a GSM phone network using the subscriber's private key; an NFC pay-by-wave app with sensitive banking details; and an operator-provided show-my-prepaid-balance app - none of which can interact with each other for security and privacy reasons.

Nohl claimed to have broken the barrier between those apps, and that he would tell all at the Black Hat conference in Las Vegas this month. Instead he's told CNN that US operators have been so fast to issue a patch - based on his own work - that there's no point even discussing the discovered vulnerability and everyone can get back to their lives as usual.

"They [the mobile networks] are adopting hacking methods to make it more secure," Nohl was quoted as saying at a press conference. "Abusing the Java vulnerabilities to update the [SIM] card is the neatest outcome of this."

One might ask about other operators around the world, and how exactly the flaw was exploited in order to deliver a fix to the lucky US customers who no longer have to worry about it. If it weren't for Nohl's pedigree one might even wonder if the whole thing weren't the creation of a fevered imagination, or if he'd been lent on to play down the true risk.

But Nohl, of Security Research Labs in Germany, broke the GPRS session key and used a microscope to read the cryptographic key off a smartcard, so he knows his stuff and has proved willing to share it in the past. We've dropped him a line in the hope of getting more details about the vulnerability which isn't any more, but in the meantime feel free to stop panicking now. ®

3 Big data security analytics techniques

More from The Register

next story
Virgin Media so, so SORRY for turning spam fire-hose on its punters
Hundreds of emails flood inboxes thanks to gaffe
AT&T dangles gigabit broadband plans over 100 US cities
So soon after a mulled Google Fiber expansion, fancy that
AT&T threatens to pull out of FCC wireless auctions over purchase limits
Company wants ability to buy more spectrum space in auction
EE & Vodafone will let you BONK on the TUBE – with Boris' blessing
Transport for London: You can pay, but don't touch
NBN Co plans fibre-to-the-basement blitz to beat cherry-pickers
Heading off at the pass operation given same priority as blackspot fixing
NBN Co in 'broadband kit we tested worked' STUNNER
Announcement of VDSL trial is not proof of concept for fibre-to-the-node
Google eyes business service in latest Fiber trials
Lucky Kansas City buggers to host yet another pilot program
Huawei exec: 'Word of mouth' will beat Apple and Samsung in Europe
World Mobile Telephone Factory No.3 won't fling the big bucks around just yet
Brazilian president signs internet civil rights law
Marco Civil bill enshines 'net neutrality', 'privacy' as law
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.