Rooting SIM Cards 73
SmartAboutThings writes "Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there's still one part of your mobile phone that remains safe and un-hackable: your SIM card. Yet after three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, and open up another route on mobile phones for surveillance and fraud."
Rooting? (Score:1, Offtopic)
"Rooting" has an entirely different meaning in new Zealand and Australia.
Re: (Score:1)
Re:Rooting? (Score:4, Funny)
Re: (Score:2, Funny)
if you happen to be talking about android with an aussie and you tell them they should "get rooted" you might end up with a fist sanga
Re: (Score:1)
Or worse, a vegemite one.
Yes, I can hear the thunder.
Land of plenty? I think not!
The mistake most people make with vegemite is to use too much of the stuff....it's a strong flavour so you should spread it on VERY thin.
By the way I'd come to the land of the free as a tourist, but I'm afraid of my body being violated by the TSA, or being shot by your overzealous police. I hear your education system is falling apart and some of you that can't spell think tourist == terrorist.
Re: (Score:1)
Or a date :)
Re: (Score:2)
Yeah don't fucking tell us or anything you tosser.
Re: (Score:1)
This is why I will continue to use my trusted tin-cans-and-string private network.
Re: (Score:2)
Re: (Score:1)
The second link is the important one (Score:5, Interesting)
Yes, there actually is a JavaVM autonomously running inside the SIM card. Yes, the provider can install programs on the SIM card that interface with the phone through a standardized API. Yes, this hack enables the attacker to do the same. Yes, the JavaVMs are not secure and breaking out of the sandbox enables the attacker to read the master key which identifies the SIM. Yes, that means the attacker can run a software simulation of a SIM card with your secret SIM key and impersonate you vis-a-vis the network. Yes, all that is possible because some providers still deploy SIM cards that accept binary SMS which are signed with DES. Not 3DES, not AES, which are both in the standard as well, but 56 bit DE fucking S.
Re:The second link is the important one (Score:5, Interesting)
On the other hand cheap Chinese SIMs are still issued in some countries. The only relief is that some of them don't support OTA at all...
Re: (Score:2)
So a crunchy exterior with a soft squishy middle.
Re: (Score:1)
Re:I'll tell you what helps too (Score:5, Insightful)
Who cares? The providers have the encryption keys anyway, wether they are single DES or AES. So the government can get access too if they want them and do all kind of nasty tricks. Who else will use it? Some hacker who wants to call expensive paylines using your simcard doesn't buy $100,000 worth of equipment to pull it off only to gain $1000.
Re: (Score:3)
Re: (Score:3)
It would be useful for Identity theft. A lot of services use a text message or call to reset passwords.... I can think of 5 other things but I'll keep them to myself as I wouldn't want to add anything to the discussion...
Re: (Score:2)
If you've watched the gsm/gprs stuff that this guy and others have done you would know that it takes under a $1,000 dollars worth of equipment to emulate a cell tower. As soon as you do that, sending the binary SMS is easy. This enables a literal drive by attack. Furthermore, my guess is that cell providers which are using vulnerable SIM cards are also running vulnerable networks. The second link talks about some networks allowing anyone who knows how to send binary SMS.
My question is how easy is it to
If it took a cryptographer three years (Score:1)
I think we're good
Re: (Score:3)
You'd be much more credible if you didn't use the word "sheeple".
Re: (Score:2)
Agreed: but then GP is obviously wiser than *all* the rest of us, and seems to assume that all the rest of us have an Xbox or whatever to boot.
It must be painful to be so much better then everyone else.
Rgds
Damon
Meanwhile at NSA HQ (Score:5, Funny)
So ... (Score:4, Funny)
how much longer until I can install Debian on my SIM card?
The title of this post... (Score:1)
Re: (Score:2)
As an Australian I can safely say the best and fastest way to root a sim card is to stick it in the microwave oven for 10 seconds.
Re:The title of this post... (Score:4, Funny)
the best and fastest way to root a sim card is to stick it in the microwave oven for 10 seconds
I'd bet there's a bunch of folks on /. who can beat your record.
Update a SIM? (Score:2)
Re: (Score:3)
The whole idea of having an update feature in a SIM seems foolish to me. Do they have the same thing in credit cards that have a chip?
Yeah, I don't get it either. I also don't get why people do the same thing with NFC tags. I was looking at getting some and was really surprised to see that the phone is used to store data on the tag, and then later this data is used to trigger some kind of phone action. It would make a lot more sense to just stick a dumb GUID on the NFC chip and then just do a DB lookup on the phone to see what to do when it is scanned.
Unnecessary complexity just leads to problems. The SIM card should just have a key b
Re: (Score:2, Informative)
There is a good and sound reason for writing the action instead of GUID on the tag: compatibility. When the NFC spec was being designed, operators were heavily lobbying towards a system you suggested where a GUID would cause a lookup. Unfortunately, the way they wanted to do was that *they* design what happens for the lookup, which would've resulted in a system that every NFC tag action would have been dependent on the operator that issued the tag and the phone. For example, going to an URL could force you
Re: (Score:2)
Oh, for something like a payment tag that makes a lot of sense. I don't like the idea of having to go to the NFC consortium or tag vendor to have to do a lookup.
I was referring more to tags that people put on things and program only to affect their own phone. If I want to associate a particular tag with turning on WiFi, why is it necessary to store "turn on wifi" in the tag, and what stops somebody else from storing "wipe phone" on the tag while I'm away from it?
Millions? (Score:4, Interesting)
So a very small percentage of all SIM cards then.
Re: (Score:2)
Actually, its "several millions" in Germany alone. The worldwide estimate is more like half a billion, according to this [golem.de] Golem.de article (in German).
3 years of research? (Score:5, Insightful)
I clicked the link expecting to find something interesting and novel, perhaps something on par with Kocher's Differential Power Analysis attack, or better. But this guy spent three years to discover that there are a small number of ancient SIMs, not yet removed from service, which use 1DES for securing applet loading? Actually, I'm sure he did no such thing. Typical bad reporting, exacerbated by bad slashdot editing.
It looks to me like his talk is really about countermeasures to mitigate the risk for these ancient SIMs, on the assumption that they can't be replaced immediately. That's worthy of research and a talk, though it's hardly front-page material.
What's important? (Score:3)
The one unhackable part of your phone is the one that, if hacked, would enable you to defraud the phone company. Shows where the security priorties are, eh?
False premise : (Score:2)
Whoever wrote this - the summary or the original article - has a severe attack of journalistic diarrhoea. They can't distinguish between "unhacked" and "unhackable".
"Unhacked" means that no successful exploit has been reported ; "unhackable" means that an attack is impossible. I heard of an "unhackable" computing device
Re: (Score:2)
So ... who is working on an Android firewall at the appropriate level? I see 48 demos, meetoos and other indistinguishable dreck.