[intro] Leading researcher spots major security loophole in OTA updates to older SIM cards

Seasoned cellular security researcher Karsten Nohl is expected to reveal a potentially major security loophole in the OTA (over-the-air) update system used by GSM networks to cellular SIM cards at the Black Hat conference in Las Vegas later this month.[/intro]

Precise details of the mechanics of the flaw are scarce, ITSP notes, but Nohl will reveal that he has discovered a method of tricking the SIM card – and the associated software on GSM handsets – into allowing access to the mobile’s location, SMS functions and allow changes to a person’s voicemail number.

The GSM Association claims that Nohl’s discovery only affects a limited number of SIM cards based on older technology.

This suggests that the cards are older SIM cards designed specifically for use in 2G (GSM) handsets, ITSP notes. Only a limited number of carriers and handsets allow these older-style SIM cards to be used in 3G mobiles.

According to Nohl, whilst the option exists to use state-of-the-art AES or the somewhat outdated Triple DES algorithm for over-the-air updates, many SIM cards rely on the DES encryption standard, which dates back to the 19970s.

DES keys, he says in his latest security posting, have been shown to be crackable within a few days, but they can also be cracked much faster by leveraging rainbow tables similar to those used in the GSM’s A5/1 standard.


“To derive a DES OTA key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS,” he says in his latest security posting.

A Rainbow decryption table then resolves this plaintext-signature data to a 56-bit DES key within two minutes on a standard computer.

The cracked DES key then, he says, allows an attacker to send properly signed binary SMS – which download Java applets onto the SIM.

Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among a number of other pre-defined functions

[quote] “In principle, the Java virtual machine should assure that each Java applet only accesses the predefined interfaces. The Java sandbox implementations of at least two major SIM card vendors, however, are not secure.” [/quote]

“A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card,” he adds.


There are, says Nohl, three primary defences against the SIM-based of attack:

Enhanced SIM cards that use state-of-art cryptography with sufficiently long keys, should not disclose signed plaintexts to attackers, and must implement secure Java virtual machines. Whilst some cards already come close to this objective, the years needed to replace vulnerable legacy cards warrant supplementary defences, he notes.

The second methodology centres on a handset SMS firewall, with an extra layer of security ensuring that the mobile only trusts specific eight-bit text messages. An SMS firewall on the handset, says Nohl, could also be used to address other abuse scenarios including the silent SMS situation.

The third approach uses in-network SMS filtering – with remote attackers relying on mobile networks to deliver binary SMS to and from victim phones, these text messages should, he says, only be allowed from a few known sources, but most networks have not implemented this types of filtering yet.

A fourth technology – home routing – could also, says Nohl, be used to increase the protection coverage to cellular customers when they roaming.

This would, he explained, also provide long-requested protection from remote tracking.