Subscribe

Millions of SIMs at risk

Bonnie Tubbs
By Bonnie Tubbs, ITWeb telecoms editor.
Johannesburg, 22 Jul 2013
Philip Pieterse, senior security consultant at Trustwave, says all will be revealed next week at Black Hat, regarding the discovery of a flaw that leaves millions of cellphone users vulnerable.
Philip Pieterse, senior security consultant at Trustwave, says all will be revealed next week at Black Hat, regarding the discovery of a flaw that leaves millions of cellphone users vulnerable.

Over half a billion cellphone users could be in danger of having their mobile identity seized - together with all the personal and sensitive information that goes along with it.

This came to light over the weekend, with German firm Security Research Labs revealing it had found a flaw in mobile SIMs that still make use of an encryption technology from the seventies, data encryption standard (DES).

According to the firm, the easy-to-crack encryption method renders users' SIM cards vulnerable to hackers, who could essentially "pose as the phone owner" and commit financial crimes or engage in espionage.

While details of the vulnerability will be revealed next week at Black Hat, in Las Vegas, the research team has so long presented the findings to the UN's International Telecommunication Union (ITU), which has described them as "hugely significant".

According to Reuters, the ITU plans to send out an alert to regulators, mobile operators and government agencies across the world.

Vodacom says it has assessed the impact of Security Research Labs' findings and, with the help of its SIM vendors, the company is putting in place "a comprehensive set of measures" to ensure that subscribers are fully protected.

Mobile magnitude

The ITU's latest ICT numbers reveal there are currently almost as many mobile subscriptions as there are people in the world (6.8 billion out of 7.1 billion people on earth) - meaning about 7.4% of all cellphone users could be in danger of having their SIMs remotely cloned or hacked.

Reuters cites the research team's chief scientist, Karsten Nohl, as saying the estimated figure of 500 million is conservative. He also indicated the number could grow if other researchers start looking into the issue and find other ways to exploit the same class of vulnerabilities.

Nohl notes mobile users in Africa could be among the most at risk, due to the prolific use of mobile banking on the continent.

Philip Pieterse, senior security consultant at Trustwave, says the discovery of the flaw could have far-reaching consequences if it is not dealt with before "the bad guys" get wind of it and go on the attack.

"It seems like we will have to wait for Black Hat to get full details of the flaw, but from what has been revealed so far, it involves a large number of cellphone users."

Explaining DES technology, Pieterse says it became a standard decades ago - and was just never phased out.

"It includes a short, 56-bit encryption key and is very vulnerable to brute force attacks. In essence, the password is easily cracked."

He says penetration tests by Trustwave have also found DES technology being used in virtual private network (VPN) solutions. "When we find this we recommend clients turn it off, because it is so easy to crack. Often a VPN solution out of the box will support all encryptions and we advise clients to remove DES and use a stronger code."

Pieterse says he does not know why DES is still so widely in use, but it could also be a case of it being a default setting that users do not know to turn off.

Share