Cracked encryption permits hackers to probably clone your SIM, priovided you might be nonetheless the usage of an out-dated encryption protocol.
Over the weekend some information broke about an exploit that affects millions of phone users. Apparently, the encryption used has a flaw that allows a hacker to clone the encryption credentials of a SIM (Subscriber Identity Module) card, potentially allowing them to clone your SIM card and retrieve things like information about your plan and payments, or identify you on the network.
It sounds scary, and it is for the 500 million affected SIM cards in the wild. But like any good security scare worth it’s salt, there’s a lot more to the story than we’re hearing. Click through and we’ll talk about it a bit.
Source: Security Research Labs
How it works
An attacker can send a command that looks a lot like the command your carrier sends to let your phone know there is an over-the-air update ready. This command is invalid, because the attacker doesn’t have the correct encryption key. Your phone will then send back an error message that is signed with the correct encryption key. Once the potential hacker has the correct signing key, they can use some software to brute-force crack the key and have a copy of their own. Using this valid key, a new message can be sent about an OTA, which your phone will download because the key is valid. This OTA can be an application that retrieves all your SIM card data, allowing the attacker to clone it.
With this cloned copy of your SIM, they can then authenticate themselves as you on the carrier network. Sounds frightening, right?
What we don’t know
There is one big ugly problem with all of this. The encryption method that can be broken, DES-56, was originally cracked in 1998 by the EFF. By now, nobody should be using a known broken encryption method. Of the seven billion plus SIM cards in existence, approximately 500 million are affected.
500 million of anything is a lot, but compared to 7 billion (with a b) it’s a small portion. The reports about this flaw all leave out the most vital information — who, exactly, can be affected by this exploit?
The folks who re-discovered the DES-56 crack, led by Karsten Nohl, chief scientist at Security Research Labs in Berlin, are giving a big speech in regards to the take advantage of on the Black Hat convention in Vegas on the finish of July. Unless then, we do not actually have the main points. We are going to allow you to comprehend extra when anyone decides to tell us.
Within the interim, put the tin foil away. We are going to recognize all of the small print in a few week.