SIM cards are considered the de facto trust anchor of mobile devices, but a newly discovered vulnerability could expose literally billions of users.
According to Security Research Labs (SRL), in research that it will present at Black Hat next week, SIM cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials – for example, in NFC-enabled phones with mobile wallets.
“With over 7-billion cards in active use, SIMs may well be the most widely used security token in the world. Through over-the-air (OTA) updates deployed via SMS, the cards are even extensible through custom Java software,” the company reports. “While this extensibility is rarely used so far, its existence already poses a critical hacking risk.”
It explains that OTA commands, such as software updates, are cryptographically-secured SMS messages, which are delivered directly to the SIM. While the option exists to use state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA, many (if not most) SIM cards still rely on the 70s-era DES cipher.
“DES keys were shown to be crackable within days using FPGA clusters, but they can also be recovered much faster by leveraging rainbow tables,” SRL points out.
To derive a DES OTA key, an attacker starts by sending a binary SMS to a target device. The SIM does not execute the improperly signed OTA command, but does in many cases respond to the attacker with an error code carrying a cryptographic signature, once again sent over binary SMS. A rainbow table resolves this plaintext-signature tuple to a 56-bit DES key within two minutes on a standard computer.
The cracked DES key enables an attacker to send properly signed binary SMS, which download Java applets onto the SIM. Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.
In principle, the Java virtual machine should assure that each Java applet only accesses the predefined interfaces,The company reports. The Java sandbox implementations of at least two major SIM card vendors, however, are not secure: A Java applet can break out of its realm and access the rest of the card. This allows for remote cloning of possibly millions of SIM cards including their mobile identity (IMSI, Ki) as well as payment credentials stored on the card.
The risk of remote SIM exploitation can be mitigated on three layers, SRL notes. These are better SIM cars, hardset SMS firewalls and in-network SMS filtering.