Hundreds of millions (approximately 25%, of 1970s-era DES) SIM cards are still in use today, and these cards are susceptible to hijacking. Not only could hijackers have access to personal information, re-direct and record phone calls, but also have access to payment information that has been stored on these cards.
In an attempt to settle mobile users minds, John Devlin, a practice director at ABI Research said, “leading cards typically employ 3DES and AES, and, in some instances, PKI, as used in our e-passports,” but 1.75 billion cards in use could still be employing DES security. Most United States mobile users should be safe, but those outside of the United States should look into what kind of SIM card their phone is using.
Using field programmable gate array clusters, hackers can decrypt the security on DES SIM cards within days. Hackers gain access to the SIM through over the air updates, which are used by application vendors and OS developers. In order to hijack a device, a DES OTA key is required. This key can be obtained by sending a binary SMS message to the victim’s mobile device. Often times, the SIM will automatically respond back with an SMS containing an error code with a cryptographic signature. All it takes is a few minutes and that code can be decrypted. Following this, a properly signed binary SMS is sent to the device which allows the hacker to download Java applets onto the device.
Another mistake that has been found is related to the weak encryption key. Sandboxing is a concept used by Java Cards, where pre-installed programs are hidden from the SIM card as well as one another. But in most of the SIM cards, this mechanism is broken. As a result, a virus, sent to the SIM card, will allow hackers to access payment applications by infecting Java software. Thus forcing the software to process a command it can’t complete and granting the virus full access to payment memory.
AT&T and T-Mobile are currently working on solutions to patch these problems. Most of these DES SIM cards are in use in Africa, the Caribbean and India; however, your device could be using a DES SIM. Hackers are looking for new ways to access our information every day, but we must stay one step ahead of them. By updating our devices and security systems, we give ourselves the best chance to avoid becoming a victim of mobile hijacking.
To read more about this, click here.