Mobe SIM crypto hijack threatens millions: Here's HOW IT WORKS

You'll kick yourself when you know how


Analysis A German researcher reckons he can take control of your phone's SIM card and hijack the handset by cracking the encryption on the device.

But he's not alone: network operators have long been able to do just that, and a careful look at how that's possible makes the long-standing security of GSM phone networks all the more remarkable.

GSM networks are secured by shared secrets. A unique cryptographic key is issued to each subscriber and embedded in their phone's SIM card; a copy of that key is held by the network allowing mutual authentication by symmetric encryption (the same key is used at both ends).

Despite successful assaults on other parts of the GSM infrastructure those private keys have remained beyond the grasp of hackers, at least until now.

Pedigree security researcher Karsten Nohl has apparently discovered two unrelated flaws in implementations of the GSM standard that (when combined) could leave millions of SIM cards vulnerable to attack. Such attacks could permit call interception, and threaten the security of NFC applications (such as pay by wave) just as the tech is on the cusp of going mainstream.

Getting the secret key off a SIM isn't easy - but increases in computing power have combined with poor implementations to create the first flaw exploited by Nohl, which reveals the secret key that should be known only to the network operator and the SIM.

Nohl's crack uses an SMS message addressed to the SIM, and unseen by the user. This is normal enough; these messages come in four classes (0-3) addressed to the user, the handset, the SIM, and a tethered device respectively. Class 0 is the one we all know and love, but Class 2 (addressed to the SIM) remains surprisingly popular even if the other classes are all but forgotten.

The most common Class 2 message contains changes to the list of preferred roaming partners, to reflect new deals between operators, but the Global Platform standard permits anything, even the entire operating system, to be changed using signed Class 2 messages.

Such radical updates are rare, but they have happened and are secured using that shared secret, so knowledge of the key confers significant power.

This should already be setting off alarm bells

Nohl's crack starts with a malformed Class 2 message. Anyone can send such a message using a software SMS Centre (SMSC), or even an old handset as some permitted a user-selected class. That message is rejected by the receiving SIM as it's not signed, usually the message is just discarded but some SIMs apparently respond with a digitally signed error message that can be used to reveal their secret key.

Digital signatures shouldn't reveal the keys used to sign them; that would defeat the object, but in this case it seems that some do.

The digital signature sent over with the error message is a one-way hash: a fixed-length summary of the message that is generated by the phone using the secret key.

This allows the receiver of the message to verify it is genuine and trustworthy: the receiver calculates a hash value using its copy of the secret key and the received message data. If that calculated value matches the hash included with the message then all is well - the secret keys at both ends must match.

But Nohl's team has a rainbow table to deduce the secret key from the signature.

The error message is a standard one - it doesn't change between handsets - so by generating a list of every possible key value, a rainbow table of every possible hash value can be calculated for this one particular message. So an attacker simply takes the signature from the phone and looks it up in the rainbow to discover the secret key.

Every bit of a key doubles the size of the rainbow table, and such techniques rapidly become impractical as keys get bigger, but some older SIMs are using 56-bit keys and old-style DES encryption which combines to make the rainbow technique viable, and where that happens the secret key can be quickly discovered.

Once you have the key, you can start signing your own command SMS messages to control a targeted mobile.

What can be done?

Operators can change the SIMs, and update the encryption, but users are surprisingly reluctant to slot a new SIM into their handsets - they become quite emotional about it, proud to be using decades-old chippery, which stalls upgrade programmes. It's also expensive - adding a dollar to the cost of the SIM may seem like a small deal, but when a network has 10 million customers it becomes a significant expense.

Quite how many SIMs are using 56DES we don't know; Kohl reckons to have tried a thousand over the last year or two and discovered a quarter are vulnerable. There's no easy way to discover if a specific SIM is using 56DES, the operators store the information along with the keys, but the SIM won't talk about the subject.

Armed with a key our miscreant can reprogram the SIM to do just about anything - redirect SMS messages, change the preferred network operator, run up enormous bills to premium-rate numbers and authenticate payments through services such as PayForIt. Modern SIMs can request an internet connection, furnished by the handset and generally without user interaction, through which our attacker can cause all sorts of mischief - though to get at the users' bank details he'll need Nohl's second flaw.

Almost all SIMs (and credit cards) use JavaCard, a relation of Java still owned by Oracle, but having little in common with the cross-platform interpreted language beyond a bit of syntax. JavaCard is an operating system, not a language, and one which keeps applications (Cardlets, in the parlance) separated so they can't talk to each other.

Nohl claims to have found a flaw in that separation, though he won't be making the details public until next month's Black Hat conference. Combining that flaw with possession of the secret key makes for a potent combination - pay-by-bonk applications, such as the one being launched by EE later this year, rely on the hitherto sacrosanct separation of JavaCard apps, so they'll be a good deal of interest in Nohl's talk from hat wearers of all colours.

GSM authentication, as opposed to encryption, has proved amazing resilient over the years. A fix for this problem will likely turn up pretty quickly with the ITU and GSMA falling over themselves to be associated with the solution, but if it needs replacement SIMs then that will be a longer process.

Operators should be quick to send out new SIM cards to customers still using 56DES, but the JavaCard vulnerability may prove harder to patch and we'll get you details of that just as soon as we can. ®

Similar topics


Other stories you might like

  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading
  • Ukrainian crook jailed in US for selling thousands of stolen login credentials
    Touting info on 6,700 compromised systems will get you four years behind bars

    A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

    Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

    The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading

Biting the hand that feeds IT © 1998–2022