With the NSA leaks going full force it probably won’t sound like news at all that a German cryptographer claims to have hacked a SIM card. But that’s never been done before (as far as we know…) so it’s kind of a big deal, and shows that millions of phones are potentially vulnerable.
The founder of Security Research Labs in Berlin, Karsten Nohl, studied the encryption methods in thousands of SIM cards to figure out how a hacker could find the card’s unique 56-digit access key. The vulnerability he discovered could impact as many as 750 million phones and would open them to call surveillance, fraudulent purchases and even a type of identity theft. Nohl told Forbes:
Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it.
In addition to compromising access keys, Nohl discovered a flaw in the “sandboxing” technique that keeps sensitive data separate on SIM cards. By sending a binary SMS to a number of phones, he can collect data that eventually allow him to break through the encryption on some of the phones. Each vulnerability Nohl identified only applies to certain SIM cards, but in the wrong hands they could endanger a large percentage of the SIM cards in use right now.
Though Nohl isn’t officially presenting his findings until the Black Hat security conference in Las Vegas on July 30, he did share them with the GSM Association. A spokeswoman, Claire Cranton, told the New York Times:
We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted.