07.22.13

The ‘Holy Grail’ of hackers: SIM card security breach is threatening hundreds of millions users

A significant security breach in SIM cards was revealed, allowing attackers to take control over users’ phone and do whatever they please, without the user noticing.

Up until now, security breaches were discovered in certain operating systems such as Android, iOS or Windows Phone. Now , it turns out that there are security holes that are not dependent on the operating system itself.

The security hole in question is located in the encryption technology of the SIM card that allows attackers to obtain the digital key and digitally alter the components of the card itself. This security hole could affect about 750 million users and allow eavesdropping on phone calls, remote purchases or impersonating the owner of the device.

When trying to send certain OTA commands, an error message is received containing the unique encryption code that belongs to the device. The code can be decoded easily, and then attackers could control the device and do whatever they please, without the user even suspect something was wrong.

The bug is not present in every SIM card, but it is estimated to exists in about a quarter of SIM cards using the DES security standard – a standard that does not exist anymore in new cards but still used by about 3 billion smartphone users using old cards. The biggest problem is that there is no easy way for users to know if their card is exposed or not.

The devices breakthrough could take up to 2 minutes from any standard computer. A software could be remotely installed on the device that operates completely in separate from the phone, which in turn can spy on the user, obtain the encryption key for the calls, read SMS messages, steal SIM card information and charge the phone owner for multiple services.

While the cellular market leaders have published that they are aware of the security hole and said that they work to block it, there were no reports about the breach being used or causing any damages…yet.