Feeds

back to article Mobe networks hacked phones to fix SIM hijack flaw, says bug-finder

A terrifying weakness at the heart of global mobile phone security has turned into a damp squib: networks scrambled so fast to patch the flaw that the researcher behind the discovery isn't making the details public. It's claimed five carriers pushed out fixes to their customers by exploiting the bug. The flaw was supposed to …

COMMENTS

This topic is closed for new posts.
Silver badge

So, another security scare that never was?

Anyway, since theSIM remains the property of the carrier, it could be argued that they were only hacking their own systems, in order to fix the vulnerability. They haven't actually hacked anyone's phone.

0
1
Bronze badge

Re: So, another security scare that never was?

"...another security scare that never was?"

As the article notes in the last paragraph, it's more likely that this was a serious flaw, as he said, but that's it's been fixed, as he said.

Sorry to be all cynical about your cynicism, but maybe, just maybe, the expert guy knows what he's talking about?

1
0
Silver badge

Re: So, another security scare that never was?

If the SIM is the property of the carrier why do they charge me $35 for one? If it's just rent, why don't they ask for it back after?

0
1
Silver badge

Re: So, another security scare that never was?

likely that this was a serious flaw, as he said, but that's it's been fixed

Exactly my point.

0
0
Anonymous Coward

Re: So, another security scare that never was?

> If the SIM is the property of the carrier why do they charge me $35 for one?

Seriously? It's the phone company, they charge $35 because they can.

0
0
Bronze badge

You have to wonder if there was a financial incentive not to disclose.

1
0
Silver badge
Black Helicopters

US only?

So the US phones have been patched and are safe, and non-US operators are not being told about the flaw, so people knowing the flaw can still spy on non-US phones?

How odd. I can't think who might have wanted that outcome.

1
0

Re: US only?

Of course it's only a problem if your SIM is an old 56-bit DES encrypted one.

0
0

Re: US only?

I should be careful then about my 1999-vintage Orange SIM which has EQ Virgin on it. The account is still live, as they charge me nothing to have it.

0
0
Bronze badge
Alert

So if the flaw is fixed...

Then why not release the details of the exploit?

1
0
Anonymous Coward

DES was broken in 1999. Yet as the US gov forbids strong encryption from being commercially available (I will let you decide why) it will not change soon.

AES is a US Gov officially approved encryption method. Connect the dots.

https://www.networkworld.com/news/1999/0120cracked.html

0
0
Bronze badge

Huh?

It has never been illegal to sell strong encryption within the US, and the export ban ended years ago.

1
0

javacard?

Is this some bastard offspring of Oraclecard, last seen at the end of the eighties?

0
0
Silver badge

Re: javacard?

No it's a Sun product from around the time when EVERYTHING was going to run Java, even your toaster.

0
0
Gold badge

"Only, it turns out the cryptography isn't weak, the process is controlled and the undisclosed flaw remains undisclosed."

56-bit DES is still excessively weak; he was eliciting a known (in plain text) response from the SIM and using a rainbow table to get the key. Which will still work as far as I know. As for the attack... I don't know the details, but here's a few interesting points:

1) JavaCard does away with the code verifier that standard Java has, in recognition of the limited die size and storage space of the JavaCard device. I do believe most code that'd try to read or write outside your program's address space would be caught by the verifier.

2) JavaCard implementation specs permit an MMU but do not demand one; it looks like some implementations use no hardware security (relying on the virtual machine to catch faults), some use an MMU (which would make this attack difficult.) Some use a setup where they encrypt each program's address space with a different key, no MMU but the assumption would be without knowing the key one may be able to crash another app by writing garbage into it's address space, but not patch it to do nefarious things. Of course if they were using some app key, the SIMs will all have the same apps with same keys, and the apps could in fact be patched since the crypto key is already known.

I'm guessing the JavaCard on these SIMs uses no MMU, and the JavaCard software was simply updated to close whatever exploit was being used to write outside the apps' address space.

0
0
Paris Hilton

I hope that's what caused my phone to crash...

Some day last week, or maybe it was over the weekend, my phone crashed. This isn't a normal thing for me as this C905a has been stable since I got it. (The K850i was another story altogether, but I digress.) It occurred to me today that maybe AT&T was probing SIMs to look for vulnerable ones and my SonyEricsson didn't react well to the probing. It crashed once, then after rebooting it crashed again, like since the first hit didn't elicit a response maybe we need to hit it again.

Maybe. Who knows.

0
0
Anonymous Coward

"...the flaw was exploited in order to deliver a fix to the lucky US customers who no longer have to worry about it."

"...but in the meantime feel free to stop panicking now. ®"

Only for your US readers.

0
0
Silver badge

Or everyone in the rest of the world where we don't use decades old tech to secure things like our mobile account or NFC.

0
0
This topic is closed for new posts.