(BERLIN) — Some cell phones’ SIM cards are susceptible to attack, according to new research from Security Research Labs in Berlin.
Hackers can send a special type of SMS message (similar to a text message) that can fool cell phones and give the hacker free reign over the SIM card.
The SIM card (short for subscriber identification module) is more like a computer than a standard piece of hardware, with both memory and a central processor unit. “It’s a tiny computer that [usually] runs Java,” said Karsten Nohl, the Chief Scientist at Security Research Labs.
Whenever a company releases a SIM Card update, it does so using a binary SMS message. Unlike regular SMS messages that texters are familiar with, the binary SMS message is sent directly from the company to the SIM card. “It’s used a lot in manufacturing functions,” Nohl told ABC News.
Hackers first send out a binary SMS to the phone they are attacking. They receive an error message from the phone, but that error message is digitally signed with a cryptographic signature. The hacker can reverse engineer the signature to reveal a key, which can then be exploited to send their own text messages, change the phone’s voicemail number, or install their own apps on that phone. “All in all, the process takes about three minutes,” said Nohl.
Users who have been hacked won’t immediately know it. “You’ll know by the end of the month when your phone bill arrives,” said Nohl.
Though Security Labs Research made their first public statement Sunday, Nohl says that they have been talking with European wireless networks about implementing better security measures, like stronger encryption protocols and SMS firewalls. However, talking with the public puts additional pressure on companies to address and fix these flaws.
“Hopefully, our research was a reminder for companies to [upgrade their SIM card security],” he said. “It’s a hack with no casualties.”
Wireless providers in the United States have said that this hack isn’t likely to affect their customers. A T-Mobile spokesperson said, “T-Mobile SIMs use the newer ‘3DES’ technology, so customers will not be affected.”
An AT&T spokesperson added, “AT&T SIM profiles are in line with GSMA recommendations and have employed triple Data Encryption Standard (DES) for nearly a decade.”
Copyright 2013 ABC News Radio
Jose Pagliery, CNN
Alanna Petroff, CNN