Outdated technology in SIM cards is leaving millions of mobile users open to remote attacks, according to Berlin's Security Research Labs.
SRLabs revealed the security issues in a statement online, warning that the flaws could let hackers root the cards and infect mobile phones with mobile malware using a multi-stage attack strategy.
"With over seven billion cards in active use, SIMs may well be the most widely used security token in the world. Through over-the-air (OTA) updates deployed via SMS, the cards are even extensible through custom Java software. While this extensibility is rarely used so far, its existence already poses a critical hacking risk," read the statement.
The company said the first stage of the attack sees the hacker crack the SIM update DES [data encryption standard] over-the-air (OTA) software updates. "To derive a DES OTA key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. A rainbow table resolves this plaintext signature tuple to a 56-bit DES key within two minutes on a standard computer."
The firm claimed once cracked the attack can use a flaw in the Java applet used to infect the device with malware. "The cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. Applets are allowed to send SMS, change voicemail numbers and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse," read the statement.
"In principle, the Java virtual machine should assure that each Java applet only accesses the predefined interfaces. The Java sandbox implementations of at least two major SIM card vendors, however, are not secure: a Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity – IMSI [International Mobile Subscriber Identity], Ki [Subscriber Identification Key] – as well as payment credentials stored on the card."
The firm said the addition of better SIM cards, with advanced cryptographic signature keys, SMS firewalls preinstalled and in-network SMS filtering designed to stop hackers delivering binary SMS messages to and from victims' phones could theoretically fix the flaw.
The full research on the SIM security flaw is due to be presented by SRLabs' Karsten Nohl at the Black Hat conference in Las Vegas on 31 July. SRLabs is one of many companies to report finding massive security holes in mobile phones' security systems. Bluebox Security reported finding a master key flaw in Google's Android operating system. The key reportedly left 99 percent of all Android smartphones open to attack. Google has since released a patch fix for the flaw.
The best Black Friday tech bargains out there
Russell Group slammed for misusing student data in donation campaigns
Linus Torvalds is unhappy with current approaches to Linux security
Bug prevents ASLR from randomising location of important data