Feeds

back to article How I hacked SIM cards with a single text - and the networks DON'T CARE

Karsten Nohl, the security researcher who broke into SIM cards with a single text, has told The Register he is dismayed by the mobile industry's lukewarm response to his revelations - and has revealed, for the first time, exactly how he did it. Nohl thought exposing the flaws in SIM security would force the telcos to fix them. …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge

It'll get fixed..

As soon as the carriers 'discover' the problem which, in turn, will be when they start getting hit with lawsuits from former customers who've had their bank accounts compromised. Till then it's not really a problem, or at least not their problem, which means they don't have to care about it.

17
0
Silver badge

Re: It'll get fixed.. Nope

NSA backdoor....

9
0
Bronze badge

Nohl: "Your stable door is open!"

Industry: "Is the horse still in the stable?"

Nohl: "Yes."

Industry: "Meh"

73
0
Gold badge
Coat

Nohl: "Are you going to fix this?"

Industry: "Neigh!"

16
1
Silver badge
Coat

Industry: We'll fix it soon.

Nohl: Horseshit!

3
0
Bronze badge

Industry: We pre-pferd that you keep quiet about this.

3
0
Anonymous Coward

Industry: We pre-pferd that you keep quiet about this.

Sehr gut. Zu gut, vielleicht, für das Register.

3
0
Bronze badge

Re: Industry: We pre-pferd that you keep quiet about this.

Ja; jetzt suchen wir [der] besser Messer, Schmidt.

0
0
Silver badge

"... an industry that wants to ... silently roll out software updates to handsets ..."

And there is the key to the problem. There should never be "silent updates" to anything, unless the user is stupid enough to select it of their own free will. The default should be "notify and ask", not "do whatever you want".

16
3

The SIM card remains the property of the network so they can do whatever they like to it. This is not the same as having the network update the handset's software silently.

Or perhaps you'd rather the handset asked you whether you'd prefer to have the SIM updated or have your contract terminated? I guess at least then you'd know they were making changes and you could decide you no longer want to deal with that company.

3
14
Bronze badge

IF these are engineering updates, done to engineering standards of reliability, why ask the customer?

What words are you going to use?

And as was pointed out, what will you do if they do not comply?

It is not like letting people run an old version of FF or MSIE.

0
2

would be interesting

if this was the case, if someone chose terminate contract, legally where would that sit?

0
0
Anonymous Coward

Tin foil hat

Probably not acting on it due to it being a backdoor the NSA have been using for a while, hoping no one else would find it.

17
0
Black Helicopters

Bit like last week's Apple snafu?

From the description, it sounds like the same sort of flaw as the Unicode handler last week on Apple, where any SMS or even webpage knocked it over.

Take an array and point to it via a one-step-away function call which fails to check it is in-bounds.

Wonder if it's the same backdoor writer who did both?

4
1
Silver badge
Joke

Re: Bit like last week's Apple snafu?

What's all this about some Unicode handler? I thought last week's Apple snafu was the 5C.

2
1

This post has been deleted by its author

Re: Enough, already

Ah, but mon ami, the night is still young!

0
0
Anonymous Coward

Re: Bit like last week's Apple snafu?

ribosome. Downvoted for being a sally without a sense of humour.

1
1
Anonymous Coward

Re: Bit like last week's Apple snafu?

AC: downvoted for being an AC. If you insult someone by name while posting as AC, you're not exactly a shiny specimen of the human race yourself. What are you, 14?

1
1
Bronze badge

Re: Bit like last week's Apple snafu?

it sounds like the same sort of flaw as the Unicode handler last week on Apple

They're both array-bounds attacks, one of the most common families. Aside from that, I don't see any significant similarities.

The SIM attack relies on a bug in the type system enforcement in JavaCard. The iOS attack is a combination of integer underflow and signed/unsigned conversion. They're rather different in their specifics.

And both are attacks of a type we've seen before. The JavaCard type system one is unusual, but flaws in the type systems of JVMs and Java-derived environments are not unknown. Using integer underflow or overflow to index beyond array bounds is so common it's #3 in 19 Deadly Sins of Software Security.

1
0
Anonymous Coward

Re: Bit like last week's Apple snafu?

@ribsome coming from the guy who deleted the post where he was being a sally without a sense of humour? Please, if you're going to accuse somebody of acting 14, don't then turn the pillow over after spilling grape soda over it.

0
0

It always staggers me

How these guys even come up with this stuff. I suppose if I'd ever moved on from the obligatory two basic PRINT and GOTO lines of code that remained the extent of my (and probably many others) foray into coding, I might have a better comprehension. Still we all have our talents I suppose.. I can make a mean bowl of cornflakes with only three main ingredients.

9
1
WTF?

A mean bowl of cornflakes with only three main ingredients?

1) Cornflakes

2) Milk

3) ??

0
0
Gold badge
Happy

Re: A mean bowl of cornflakes with only three main ingredients?

Bowl...

1
1
Bronze badge

Re: It always staggers me

How these guys even come up with this stuff

By "this stuff" do you mean the original broken systems, or the attacks that exploit them?

The former is just run-of-the-mill software development. A team implements a huge system with lots of features. It's too large for anyone to understand the whole thing, or even a significant portion, in depth. Some developers are better than others at producing robust code. There's miscommunication and erroneous and unshared assumptions. And so on.

The latter is all about scaffolding. Decades ago people were mounting what were then very sophisticated attacks, like the Morris worm: send a malformed request to a program, overwrite part of its memory, trick it into doing stuff it wasn't supposed to be doing. Those were individual, largely unique acts by smart people who put a lot of effort into experimenting with breaking those systems, and even so the attacks were quite simple by modern standards.

Then other researchers studied those attacks and created more straightforward and simpler techniques, and disseminating that information. So you have, for example, Aleph Null's "Smashing the Stack for Fun and Profit", which explained how to do Morris-worm sorts of stuff. That let a lot of people experiment with breaking a lot of systems, and as their techniques got more and more sophisticated.

And then people took those more-sophisticated approaches and extended them further. And so on.

These days, it's quite possible for even someone with no experience in this area to read a few articles, throw some random data at a system until it breaks ("fuzzing"), and then follow essentially a recipe of steps to develop a useful exploit. It may require some understanding of programming, but not a lot. In fact, pretty much the whole process can be automated.

That's not to say Nohl's work isn't good stuff - it certainly is. But it's not like he just sat meditating for days and suddenly the attack sprang full-formed into his mind. There's a huge body of existing practice for doing this sort of thing.

1
0

Re: A mean bowl of cornflakes with only three main ingredients?

3) Sugar - At least, in my case.

1
1
Mushroom

Re: A mean bowl of cornflakes with only three main ingredients?

3. Sugar

(a basic heart attack inducing, teeth rotting, fattening ingredient of all foods!).

Cookery101.

1
1
FAIL

Re: A mean bowl of cornflakes with only three main ingredients?

You can't eat the bowl (unless it is made of edible rice paper) hence it is not an ingredient of cornflakes! Doh!

0
0
Coat

Hello Array, there!

Can you hear me?

Yes.

Can you hear me now?

Yes.

Now?

Yes.

So I can reference you from a distance!

Pass me a coat. Any coat will do, I don't check.

2
1

Please explain, not my area of expertise.

I just thought the SIM card had a subscriber / number to identify you to the mobile base stations so they could route calls to you, oh and some space to store 150 contact numbers that nobody ever uses any more as they sync everything to either exchange, google or Apple.

Now I get the impression that the sim has a processor of sorts that can handle some authentication to the network / probably obvious and sensible. Why the heck can it access anything on the device ? Is there any need ?

6
0
Silver badge

Re: Please explain, not my area of expertise.

News to me also.

1
0
Anonymous Coward

Re: Please explain, not my area of expertise.

There's a variety of applications that telcos can put in the SIM card. For this purpose a specified set of commands exists, called a SIM toolkit, that most modern phones and SIM cards support. The SIM can make calls, send messages and open data connections. It can route a call to a different number than the user dialed in. And much more. If the telcos are nice, they will not require phones to hide these actions from users.

0
0
Silver badge

Re: Please explain, not my area of expertise.

Knock yourselves out.

When Vodafone says that strong encryption has been mandated for "many, many, years" it means they've been using DES for many, many years.

0
0
Silver badge

Re: Please explain, not my area of expertise.

If the telcos are nice, they will not require phones to hide these actions from users.

[Frowning] Name one single telco that's nice.... Any one will do.

4
0

Re: Please explain, not my area of expertise.

Sim cards can host fullfledged applications (basic text based interface, but the logic is turing complete)

0
0
Bronze badge

Re: Please explain, not my area of expertise.

http://www.gemalto.com/techno/sim/

http://www.diva-portal.org/smash/get/diva2:423013/FULLTEXT02

0
0

Re: Please explain, not my area of expertise. @John T.

You write: "Name one single telco that's nice.... Any one will do."

Try Swisscom. Reasonable prices, crazy dense network, 4G at all the main population centres, venues and motorways.

Among the earliest rollouts of VDSL2 and already offering FTTH since a couple of years. Broadband speeds always marginally exceed quoted ones. Couple that with the Swiss supreme Court ruling that mass IP address trawling is illegal (forcing most such collection companies out of the country overnight). IP address monitoring can only be on a case by case basis and only once a case can be made.

The only naff thing they have done is their attempt to charge for IPTV content that is FTA on satellite. But that's a minor annoyance.

1
0
Anonymous Coward

Re: Please explain, not my area of expertise.

Dude, Vodafone said strong encryption was MANDATED for many years, not that they IMPLEMENTED strong encryption! Watch the weasel lawyer mouth piece closely next time.

Matters not, they have a huge bag of cash now from that limp wrist CEO at Verizon. Any possible losses barely show up as a rounding error in the banking fees that were paid, never mind the main pile-o-cash(r).

0
0
Silver badge
Trollface

Re: Please explain, not my area of expertise. @John T.

>Try Swisscom. Reasonable prices, crazy dense network, 4G at all the main population centres, venues and motorways.

Can't resist. Yes but the problem is you have to live in just about the most expensive country in the world (very beautiful which you pay for). Not to mention like with most of central Europe if you were not born there you will never truly fit in.

2
0

Re: Please explain, not my area of expertise. @asdf

Can't fault you there.

Although things are not as expensive as you make out (not when take home pay is 80+% of your gross) but after 10 years here I've yet to fit in :-)

0
0
Gold badge
Unhappy

So this would be a "2* " de refernecing excercise in C++ ?

Reference-to-a_reference-to-an-array.

Now, is that a fail in the Javacard spec or the Javacard implementation?

0
0
Bronze badge

Re: So this would be a "2* " de refernecing excercise in C++ ?

is that a fail in the Javacard spec or the Javacard implementation?

Implementation. The specification says, right in the introduction:

The basic runtime security feature imposed by the JCRE enforces isolation of applets

using what is called an applet firewall. The applet firewall prevents the objects that

were created by one applet from being used by another applet. This prevents

unauthorized access to both the fields and methods of class instances, as well as the

length and contents of arrays.

Applet isolation is "the basic runtime security feature", and array boundary enforcement is specifically mentioned.

JavaCard does relax some of the Java security requirements, in particular load-time verification. But Nohl's attack isn't against load-time verification; it's a straight runtime attack on the type system.

0
0
Bronze badge
WTF?

Sprint's got SIMs?

"in the US, network operator Sprint isn't authenticating or encrypting SIM updates at all"

Sprint, like Verizon, uses a CDMA network instead of GSM so doesn't even HAVE SIM cards in its phones.

2
2

Re: Sprint's got SIMs?

You were right.. until recently.

Sprint, Verizon, and MetroPCS are all CDMA carriers, but they also have LTE networks. LTE requires the SIM card. So yes, Sprint has SIMs. Sprint's old Nextel iDEN network also used SIMs.

The CDMA2000 spec actually had a "R-UIM", which was basically a SIM, but of course the US CDMA carriers avoided them, because they wanted lockdown.

I have 3 Vzw LTE SIMs sitting right here, actually...

3
0

possible to block?

I thought it is the telcos themselves who update SIM card contents using SMS commands. Is there something to prevent telcos from filtering SMS messages based on content? In other words, if SMS is an over-the-air command to SIM and it did not originate from operator's own server, delete it.

0
0
Silver badge

Re: possible to block?

One of the Android SMS firewall apps like this or this might stop the device forwarding the SMS to the SIM, but then again it's difficult to test...

1
0
Bronze badge

Even CEO bonuses take longer than 2 months from inception to delivery

So 2 months is a long time for a person to leave something undone.

But anyone who has ever worked for a big company knows nothing gets done in 2 months, unless it is legislated by government or interrupts business. Even the CEOs bonuses take longer from inception to delivery.

In engineering, when you have the time you want to think through and carefully consider every change. Then you want regression test everything.

This is why you don't get blue screens in your car's computer brakes and why basic cell phones.

Apps, well that is usually regular computer types, so less care is taken, and we all see the results.

Remember, for a person living or working alone a phone is a life-safety device. It is not just something to socializing. It is the one thing they have to summon help.

When the problem is in the wild, then things change. Then the risk of bricking a person's phone is less than the risk of leaving the bug there while a fix is tested.

Again, remember, for a person living or working alone a phone is a life-safety device. It is not just something to socializing. It is the one thing they have to summon help.

1
2
Silver badge
Coat

NSAs fave computer game

The SMS

4
0
Silver badge

and industry wonders

why security researchers don't bothet to tell them anything, and just skip to making exploit code avalible to every criminal in the world.

It's the only thing that gets them to act.

3
0
Stop

Corporate Definition of Security

How much money can we make with this (A), how much will it cost to fix (B), how much will WE lose (C)

IF A - (B + C) > Zero Then we define this system as secure

This may not be the percieved standard private citizens, or technologist may use, but it is the one most large corporates uses (including on safety critical systems)

1
0

Page:

This topic is closed for new posts.