A German researcher reckons he can take control of your phone's SIM card and hijack the handset by cracking the encryption on the device. But he's not alone: network operators have long been able to do just that, and a careful look at how that's possible makes the long-standing security of GSM phone networks all the more …
Hacks which require access to the hardware aren't exactly that dangerous in the real-world. Maybe they are bad for people who have been mugged, but that's what you get for living in a city :)
True but irrelevant as you just need the mark's phone number and his old SIM.
Hacks which only require sending a deliberately malformed SMS to (random?) phone numbers, on the other hand, are exactly quite dangerous in the real world. Especially if they can be subsequently used to sign an OS update which you then send to the phone in question. From the article:
"The most common Class 2 message contains changes to the list of preferred roaming partners, to reflect new deals between operators, but the Global Platform standard permits anything, even the entire operating system, to be changed using signed Class 2 messages.
Such radical updates are rare, but they have happened and are secured using that shared secret, so knowledge of the key confers significant power."
don't feed the bumpkins
Numpty - you're reading the article aloud to Mr A.C. Moron, nowhere did it mention access to hardware, nor any discussion of the benefits in living in shacks or cities.
On topic, the malformed SMS forces the SIM into a clever known-plaintext attack which only needs one rainbow table.- length equal to the DES56 signature, I think its a lot less than 2^^56 which would be beyond rainbow tables at 10^^17 entries. Does anyone know the signature length?
Re: don't feed the bumpkins
From another article I read yesterday, I think it's 40bits.
Re: don't feed the bumpkins
40 bits is actually the effective key length of single DES (there is some redundancy in the 56 bits), this is the determining factor in the size of the rainbow table (you need one entry for each key). The length of the response message (or even the hash string) is irrelevant, that would increase storage linearally rather than increasing the bit length for which each bit doubles the search space.
Re: don't feed the bumpkins
"On topic, the malformed SMS forces the SIM into a clever known-plaintext attack which only needs one rainbow table.- length equal to the DES56 signature, I think its a lot less than 2^^56 which would be beyond rainbow tables at 10^^17 entries. Does anyone know the signature length?"
A lookup attack with known-plaintext essentially requires you to store the encrypted value of the plaintext in every known key. You only actually need to encrypt enough of the plaintext to identify a small group of keys since you can then easily bruteforce. To store a full rainbow table you are going to need around the order of an exabyte of storage. There are some interesting ways around that though. The most obvious is that you explicitly only go after the first 30-40 bits of the key. That table will fit on a normal large hard-drive. Once you have the first part of the key you brute-force the remainder which will be a breeze.
For those interested, what the rainbow table actually consists of is a hash lookup of the key based on the first bits of the cipher text encrypted from the known plain-text.
So it's a safe bet that three-letter-agencies can, once they know your phone number, require the network operator to divulge the shared secret, and then push you a 'custom' version of the phone's firmware? Good to know that even end-to-end encryption isn't going to help, if you've got a keylogger pushed to your phone... :P
You need to take into account two things.
First, if you want secrecy, using public service networks is a big no-no.
Second, the SIM has it's own OS and only that OS could be (potentially, depends on the SIM maker) reprogrammed. Your handset's OS lives outside the SIM and therefore can't be changed this way. Reprogramming your device OS is done via other channels... and in fact not required at all in order to spy on you.
If you plan on doing something naughty, just don't speak about it, and don't use internet connected devices for it.
You should use a fully encrypted pc.. not running windows, ubuntu, etc, and no UEFI /Intel remote administration... as the AMI "leak" proves...
Roaming always seemed like a bigger risk
I've always been more concerned about the risks of roaming; when your phone roams to another network, your provider must send your 'shared secret' (key) to the roaming provider in order that their network can authenticate your handset.
This means that a level of trust is established between providers in their roaming agreement, but of course what's to say that a foreign government can't now gain access to your SIM encryption key, which can then be used to decrypt your comms globally.
It wouldn't be terribly surprising if the UK and US governments are using this method to collect SIM keys of foreign nationals - it's certainly a lot easier than sending messages which are likely logged and traceable and require not-insignificant computational time to crack.
Re: Roaming always seemed like a bigger risk
Not sure about how roaming works, from what I've read it might be the case that key never leaves the home provider, that only sessions keys are shared as needed.
Re: Roaming always seemed like a bigger risk
The really secret part of the 'shared secret' - known as K - never leaves the home operator's AuC - the roaming partner is passed a set of keys that are derived from K - CK/IK for 2G/3G authentication, Kasme for 4G - but K itself is never communicated. The derived keys are refreshed during each subsequent authentication run, so knowledge of them should only provide a limited duration opportunity to a hacker.
it's all based on (a lack of) trust
A.C. #2 is right. When a cellular service provider has a footprint somewhere in the US, they effectively can be told to pass over the security key to the powers that be. All bets are off. Its not just the US too, UK and others also have this 'right' and have had for some time.
Its the same with PKI - why try and crack an ever increasing key length (RSA 1024 going to RSA2048 or higher) when you can just capture all the data (a la Prism) and then tell the encrypter to hand over the key; thereby saving you that cracking hassle. Even perfect forward secrecy fails when you have the keys.
The same rules apply. If you don't manage the keys, they are always susceptible to loss, mismanagement or coercion without your knowledge.
right - time to put my tin foil hat back on. ;-)
Re: it's all based on (a lack of) trust
"Even perfect forward secrecy fails when you have the keys."
that's simply false
It's called (perfect) forward secrecy because even if the attacker gets his hands on server keys he still can't decrypt the data
Oh please tell me those are 20th-century SIMs. Most people know DES is insecure, and the crypto community already suspected it since long before Deep Crack. Who would be so stupid to use that for anything sensitive?!?!
The food you eat
Another day another secret revealed.
Don't tell me no-one knew of this. I don't buy it.
Engineers for mobile companies would know of this as it would be another trick in their book.
I have a hunch if you dig deep enough you'd find memo's written by engineers about this specific vulnerability that no-one bothered to follow up on, or it was simply swept under the rug along with more of these types of holes.
When they are discovered public opinion forces big companies to act on them, while saying "see how good i am for protecting you" - gotta love em
This further proves...
That "pay-by-bonk applications", are just a stupid idea!!!!
How this works:
1) GSM is secure.
2) Pay-by-bonk means there's money to be had in cracking GSM.
3) GSM is not secure.
The level of security of anything is inversely proportional to the rewards on offer for cracking it.
jolly well done
@ Bill Ray - bloody well written article, Sir. A nice, concise and easily understandable explanation.
Have a pint on me! (virtually, of course, due to AC).
Rainbow tables.... you mean one of these? http://www.decorfeed.com/14-table-furniture-layouts/
Deep crack? I'm not posting a picture of that thank you very much!) :-)
Confused of Essex
the numpty with the SIM tattoo?
Another disappointing article.
OK. If you get the network key, you might just about manage to impersonate the SIM (if you also get the IMSI).
Unfortunately, you can't change the SIMs OS - it's in the MASK.
Now Global Platform allows you to modify applets on the SIM, install new ones, etc,
- but the keys are different (SCP02)
- it's only NFC SIM cards - which are nice and new
Finally, Roaming list updates are protected by 03.48 - again different to the network key.
Could the Reg not find someone with a clue to right about these things???
Re: the numpty with the SIM tattoo?
"Could the Reg not find someone with a clue to right about these things???"
I'm in your post, destroying your credibility.
Java Card not the only credit card OS
Java Card is mainly used by Visa.
Mastercard credit cards typically use Multos
Other OS are used for cheaper applications.
Too simple a fix?
With this relying on a malformed class 2 message to generate the known-text error, I can see two ways that the carriers can prevent this issue: Testing all class 2 messages for validity and dropping them if they'll generate an error, or discarding the known-text error response when it's seen.
- Pics Facebook's Oculus unveils 360-degree VR head tracking Crescent Bay prototype
- Teardown Pop open this iPhone 6 and see where the magic oozes from ... oh hello again, Qualcomm
- Analysis Apple's warrant canary riddle: Cock-up, conspiracy, or anti-Google point-scoring
- Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln