According to The New York Times, German security researcher Karsten Nohl has found a huge security flaw in an encryption used by mobile SIM cards currently operating in billions of cell phone devices around the world. The flaw in question is only applicable to cards that use the Data Encryption Standard (DES), an old standard that many SIM card manufacturers have stopped using altogether.
Nohl found out that sending a fake carrier message to certain phones would initiate a response in a quarter of all DES SIM cards that revealed their 56-bit security keys, thus allowing Nohl to send that phone a virus via text message, as well as acting as the phone’s legal owner, which meant reading text messages and making carrier payments.
Even creepier is that this whole process only took “about two minutes.”
While DES SIM cards are being used in around 3 billion phones globally, Nohl’s discovery only affects about 25%, or 750 million of those phones, but that’s still 750 million users who are at risk of having their devices overtaken by malicious hackers.
Since the big flaw announcement, the GSM Association (the association responsible for the GSM cell phone standard, the standard that uses SIM cards) has notified SIM card manufacturers, who are currently brainstorming ways to fix the problem. I just wonder how the problem will be fixed without having to issue 750 million new SIM cards. Here’s hoping for the best.
[via The Verge]