Has your identity been stolen from your Android device despite the security precautions that you have in place? The culprit may be your SIM card as a flaw has been discovered that could allow hackers to take control of your phone. This bug was discovered by German firm Security Research Labs.
The International Telecommunications Union, a Geneva based United Nations group that advises nations on cybersecurity, has assessed the research done on the flaw and has labeled it as hugely significant. ITU Secretary General Hamadoun Touré said in an interview that “These findings show us where we could be heading in terms of cybersecurity risks.” Because of this, the agency will be notifying the telecommunication regulators and governments in nearly 200 countries around the world.
Karsten Nohl, founder of Security Research Labs, said that the flaw is found in the Digital Encryption Standard encryption. Hackers will be able to obtain the 56 digit sequence key of a SIM card with this encryption which allows it to be modified. An estimated 750 million phones are vulnerable to this flaw.
Once the sequence key is obtained hackers will be able to send a virus to the SIM card. This will allow eavesdropping on calls or allow mobile purchases with payments charged directly to the mobile account. Nohl added that “We can remotely install software on a handset that operates completely independently from your phone. We can spy on you. We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”
Security Research Labs researched this flaw for two years using 1,000 SIM cards running on North American and European networks. The SIM and phones used were owned by members of the team doing the research. Results show that one quarter of the SIM cards using D.E.S. had the flaw. All phones are affected by this flaw including Apple’s iPhone, Google’s Android and BlackBerry devices.
Data shows that D.E.S. is being used in half of the six billion cellphones used on a day to day basis. This encryption technology was developed in the 1970’s. Over the past years several operators have improved the security of this encryption by using Triple D.E.S. however there are still a lot of SIM cards using the older D.E.S. technology.
Nohl suggested that to operators should phase out their SIM cards still using D.E.S. and upgrade them to cards using new and improved encryption standards. Consumers who are using SIM cards that are more than three years old have a high probability of using D.E.S. encryption and should immediately be replaced from their respective carriers.
GSM Association spokeswoman, Claire Cranton, said that they have reviewed this issue “We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted.” She further said that it is likely that only a few phones using the old encryption standard are affected.
CTIA Vice President John Marinho said that this new discovery posed no immediate threat. “We understand the vulnerability and are working on it. This is not what hackers are focused on. This does not seem to be something they are exploiting.”