securityresearchlabs
Latest
Some SIM cards can be hacked 'in about two minutes' with a pair of text messages
Every GSM phone needs a SIM card, and you'd think such a ubiquitous standard would be immune to any hijack attempts. Evidently not, as Karsten Nohl of Security Research Labs -- who found a hole in GSM call encryption several years ago -- has uncovered a flaw that allows some SIM cards to be hacked with only a couple of text messages. By cloaking an SMS so it appears to have come from a carrier, Nohl said that in around a quarter of cases, he receives an error message back containing the necessary info to work out the SIM's digital key. With that knowledge, another text can be sent that opens it up so one can listen in on calls, send messages, make mobile purchases and steal all manner of data. Apparently, this can all be done "in about two minutes, using a simple personal computer," but only affects SIMs running the older data encryption standard (DES). Cards with the newer Triple DES aren't affected; also, the other three quarters of SIMs with DES Nohl probed recognized his initial message as a fraud. There's no firm figure on how many SIMs are at risk, but Nohl estimates the number at up to 750 million. The GSM Association has been given some details of the exploit, which have been forwarded to carriers and SIM manufacturers that use DES. Nohl plans to spill the beans at the upcoming Black Hat meeting. If you're listening, fine folks at the NSA, tickets are still available.
Researchers eavesdrop on encrypted GSM call: all you need is a $15 phone and 180 seconds
It's hardly a fresh idea -- researchers have claimed that GSM calls could be cracked and listened in on for years. But there's a difference between being able to do something with a $50,000 machine and a warrant, and being able to do the same thing with a few $15 Motorola phones, a laptop, open source software and 180 seconds of spare time. Security Research Labs researcher Karsten Nohl and OsmocomBB project programmer Sylvain Munaut recently spoke about a new GSM hack at the Chaos Communication Conference in Berlin, and they were able to walk the audience through the eavesdropping process in a matter of minutes. According to them, it's not terribly difficult to use a $15 handset to "sniff out" location data used to correctly route calls and texts, and once you've nailed that down, you could use modified firmware to feed raw data into a laptop for decryption. Using a 2TB table of precomputed encryption keys, a cracking program was able to break in within 20 seconds -- after that, you're just moments away from recording a live GSM call between two phones. Of course, speeches like these are made to encourage security officials to beef up the layers between you and ill-willed individuals, but it's hard to say what (if anything) will change. For now, we'd recommend just flying to each and every person you'd like to speak with. Unless you live in the Greater New York area -- you're probably better off risking a hacked conversation than heading out to LGA / JFK / EWR.
