A German researcher has uncovered a vulnerability
in mobile phone SIM cards not previously uncovered in the past 20 years, reports Forbes
. After three years of research, Karsten Nohl says that he has discovered encryption and software flaws that could potentially leave millions of devices at risk of a malicious attack. According to Nohl, two targeted SMS texts could allow a hacker to send premium text messages, re-direct and record calls and even undertake payment system fraud of NFC-equipped devices.
According to Nohl, the bug is the result of incorrectly configured Java card software that is old and out of date, combined with weak encryption keys. There is no way of knowing whether a SIM card has the vulnerable version of the software. In his testing he found that some shipments could be infiltrated, while others had newer code, protecting them from intrusion. Around a quarter of the SIM cards Nohl and his team tested were vulnerable, translating to around 500 million devices.
Nohl is preparing to present his findings to the annual Black Hat security conference coming up on July 31 in Las Vegas. While it is unlikely that the hack could have been uncovered prior to his work, Nohl says that it will take hackers up to six months to isolate and exploit the vulnerability. By then, Nohl expects that carriers will have patched the hole in vulnerable devices. Two carriers have already begun work on the task at hand and plan to share their fix through the GSMA, a wireless carrier industry association.