A new SIM card vulnerability, discovered after a painstaking three year research effort by German cryptographer and security whiz Karsten Nohl, could allow a potential hacker to send premium messages, record phone conversations and even make payments without the permission of the user.
The vulnerability could, theoretically, affect around one quarter of mobile phones worldwide. Those antiquated SIM cards using the old DES (Digital Encryption Standard) encryption are vulnerable to the attack, but before widespread panic ensures, Nohl has noted that said vulnerability is unlikely to be found and used within the next six months. Thus, this should give carriers enough time to protect users and safeguard their security and privacy, two of the most essential virtues of the digital consumer.
What’s striking about this particular vulnerability is just how covert the would-be imposter could be in obtaining such access to your sensitive data. The devices can be compromised after sending nothing more than a hidden SMS message, and considering how many potential portals a mobile phone can present to an unscrupulous individual, an outbreak of this vulnerability doesn’t bear thinking about.
Premium SMS flaws are a very common problem in the mobile industry, with victims often stitched up for hundreds or even thousands of dollars when their nasty surprise of a phone bill arrives. Worse still, the recording of a call to, say, your bank, would likely present all of the required details an imposter would need to clear your bank account out.
Nohl does not reckon cyber imposters have cottoned on to the flaw, and has estimated that this situation will not change for at least the next six months. Carriers are said to be working together to come up with a solution as swiftly as possible to avoid jeopardizing the security of users, and while such cooperation is usually a non-starter between rivals, the nature of this particular situation means it’s in the best interests of everybody to find a resolution as quickly as possible.
Most SIM cards are too new for this to ever be a problem, but with Nohl planning on presenting this vulnerability at this year’s Black Hat security conference, it serves to give everyone an insight on what sort of damage this flaw can cause.