Security of SIM cards under threat? – mobile industry reaction

imgresThis week, an announcement from Security Research Labs caused a stir, claiming that SIM cards, the ubiquitous and generally regarded safe data storage lynchpin of mobile handsets, is in fact facing a critical hacking risk.  In particular, older generation SIM cards, estimated to number some 500-750 million in the wild, could be susceptible to infection by a virus that according to Forbes, could: send premium text messages, surreptitiously re-direct and record calls, and — with the right combination of bugs — carry out payment system fraud.

It has been noted that the issue is of particular concern in developing markets, particularly Africa where the older SIM technology is abundant and there is a large user base of potentially vulnerable mobile banking services.

With Security Research Labs’ Karsten Nohl set to present his research in full at the upcoming Black Hat Conference, we put the story to MEF members and the mobile industry for their thoughts on the ramifications of Nohl’s findings and what they could mean.

If you’d like to contribute a comment to this article the contact us at editorial@mefmobile.org

Vitaly Kamluk, Principal Security Researcher; Kaspersky Lab

“It’s too early to make conclusions – the research details are not published yet and will be disclosed at the Black Hat conference.  An estimated 500 million affected users is theoretical and based on analysis of 1000 SIM cards, which was extrapolated to the whole world.

We don’t have our own stats about possibly vulnerable SIM cards but while the hack scheme described by the research looks consistent, it would be complicated to perform a successful attack on arbitrary phones connected to arbitrary cell operators.

I think that it won’t become a serious issue for consumers, although I would recommend concerned persons, especially potential victims of high-profile targeted attacks, to contact cell phone providers and upgrade their SIM card with newer and more secure one, especially if your SIM is many years old.”

Carla Raffinetti, Senior Consultant; Preiskel & Co

“Karsten Nohl’s recent findings show that third parties can now obtain the encryption keys of older SIM cards without authorisation.  In many countries, it is illegal to hack into communications of any kind (such as traffic data or the contents of phone calls and messages).  However, law enforcement agencies can usually obtain access if they are granted permission by the law.  Where the information is encrypted, many jurisdictions allow them to compel the disclosure of the key in a limited range of circumstances. Therefore, in those countries where the statutory mechanisms to obtain communications from a mobile phone are already there, Nohl’s findings will probably not have much of an impact on law enforcement.  However, customers using legacy SIM cards may increasingly find themselves becoming the target of fraud by criminals.  This could be worrying for African consumers who are using mobile money systems and the like.”

matt_bbc

Matt Flint, Founder; Company Networking

“Over the past several years and even more so recently, we have seen a number of security risks with mobile phones and SIM cards. The problem we have nowadays is the technology we use is very similar to any modern day PC and therefore, there will always be individuals/criminals out there with the capability to hack into the device or SIM card.  As the number of users of smartphones increases daily and people rely on them more and more for everyday tasks, sending emails and more importantly personal banking the opportunity for criminals to commit online fraud and identity theft can be frightening.  I personally use my phone as a pin sentry to login to my online banking. If these statistics continue to increase then major phone developers will need to consider increasing the level of security on their handsets or perhaps it’s time to design something else?”

Alex Balan, Head of Product Management , BullGuard

“We’ve learned of the vulnerabilities to SIM cards and we want our customers to be aware of it too. Karsten Nohl’s research shows how you can trick a SIM card into exposing its encryption.  As a result, people could easily have their money stolen. Given that today there is something in the order of 7 billion connected mobile devices in the world it’s a serious threat.”

“Not all of these devices are vulnerable of course, but the threat does exist for a significant number of users. But not many people protect their mobile phones with security solutions. This reminds us of attitudes in the early 1990’s when computer viruses started appearing, yet few people felt inclined to install anti-virus software on their PCs. But this SIM exploit illustrates just how important it is to maintain security on all devices.  We recommend that people have strong mobile security software installed on their devices such as BullGuard Mobile Security. You should also check with your mobile provider to see whether your SIM card is vulnerable to this type of attack.”

Follow Alex and Bullguard on Twitter

Nigel Shaw, Product Director , Telsis

Nigel-Shaw-Telsis“At root this is not about one type of SIM, it is about the vulnerability of networks and phone users to SMS malware attacks. An OTA patch for the SIM weakness Nohl highlights will not fix the wider problem. What’s required is a way of stopping OTA malware attacks at the network entry point so that they can never reach target phones. Such a solution exists and has just been deployed by a network – even though the operator has no ‘Nohl’ SIMs in circulation.”

“The solution interrogates incoming messages to determine their real point of origin. Faked or spoofed addresses are detected, and the associated messages are trapped, so that the only OTA commands able to transit the network to reach handsets, irrespective of the type of SIM each handset carries, are genuine, and only from the operator itself. Not only does the solution protect against any malware attack via SMS, it also works in the same way to trap text spam.”

Follow Telsis on Twitter

To add your thoughts to this developing story contact us at editorial@mefmobile.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: