back to article How I hacked SIM cards with a single text - and the networks DON'T CARE

Karsten Nohl, the security researcher who broke into SIM cards with a single text, has told The Register he is dismayed by the mobile industry's lukewarm response to his revelations - and has revealed, for the first time, exactly how he did it. Nohl thought exposing the flaws in SIM security would force the telcos to fix them …

COMMENTS

This topic is closed for new posts.
  1. silent_count

    It'll get fixed..

    As soon as the carriers 'discover' the problem which, in turn, will be when they start getting hit with lawsuits from former customers who've had their bank accounts compromised. Till then it's not really a problem, or at least not their problem, which means they don't have to care about it.

    1. LarsG

      Re: It'll get fixed.. Nope

      NSA backdoor....

  2. Anonymous Blowhard

    Nohl: "Your stable door is open!"

    Industry: "Is the horse still in the stable?"

    Nohl: "Yes."

    Industry: "Meh"

    1. I ain't Spartacus Gold badge
      Coat

      Nohl: "Are you going to fix this?"

      Industry: "Neigh!"

      1. Martin Budden Silver badge
        Coat

        Industry: We'll fix it soon.

        Nohl: Horseshit!

    2. Adam 1

      Industry: We pre-pferd that you keep quiet about this.

      1. Anonymous Coward
        Anonymous Coward

        Industry: We pre-pferd that you keep quiet about this.

        Sehr gut. Zu gut, vielleicht, für das Register.

        1. cortland

          Re: Industry: We pre-pferd that you keep quiet about this.

          Ja; jetzt suchen wir [der] besser Messer, Schmidt.

  3. Intractable Potsherd

    "... an industry that wants to ... silently roll out software updates to handsets ..."

    And there is the key to the problem. There should never be "silent updates" to anything, unless the user is stupid enough to select it of their own free will. The default should be "notify and ask", not "do whatever you want".

    1. Badvok

      The SIM card remains the property of the network so they can do whatever they like to it. This is not the same as having the network update the handset's software silently.

      Or perhaps you'd rather the handset asked you whether you'd prefer to have the SIM updated or have your contract terminated? I guess at least then you'd know they were making changes and you could decide you no longer want to deal with that company.

      1. WatAWorld

        IF these are engineering updates, done to engineering standards of reliability, why ask the customer?

        What words are you going to use?

        And as was pointed out, what will you do if they do not comply?

        It is not like letting people run an old version of FF or MSIE.

      2. g7rpo

        would be interesting

        if this was the case, if someone chose terminate contract, legally where would that sit?

  4. Anonymous Coward
    Anonymous Coward

    Tin foil hat

    Probably not acting on it due to it being a backdoor the NSA have been using for a while, hoping no one else would find it.

  5. YetAnotherLocksmith Silver badge
    Black Helicopters

    Bit like last week's Apple snafu?

    From the description, it sounds like the same sort of flaw as the Unicode handler last week on Apple, where any SMS or even webpage knocked it over.

    Take an array and point to it via a one-step-away function call which fails to check it is in-bounds.

    Wonder if it's the same backdoor writer who did both?

    1. Martin Budden Silver badge
      Joke

      Re: Bit like last week's Apple snafu?

      What's all this about some Unicode handler? I thought last week's Apple snafu was the 5C.

      1. This post has been deleted by its author

        1. Ambivalous Crowboard

          Re: Enough, already

          Ah, but mon ami, the night is still young!

        2. Anonymous Coward
          Anonymous Coward

          Re: Bit like last week's Apple snafu?

          ribosome. Downvoted for being a sally without a sense of humour.

          1. Anonymous Coward
            Anonymous Coward

            Re: Bit like last week's Apple snafu?

            AC: downvoted for being an AC. If you insult someone by name while posting as AC, you're not exactly a shiny specimen of the human race yourself. What are you, 14?

            1. Anonymous Coward
              Anonymous Coward

              Re: Bit like last week's Apple snafu?

              @ribsome coming from the guy who deleted the post where he was being a sally without a sense of humour? Please, if you're going to accuse somebody of acting 14, don't then turn the pillow over after spilling grape soda over it.

    2. Michael Wojcik Silver badge

      Re: Bit like last week's Apple snafu?

      it sounds like the same sort of flaw as the Unicode handler last week on Apple

      They're both array-bounds attacks, one of the most common families. Aside from that, I don't see any significant similarities.

      The SIM attack relies on a bug in the type system enforcement in JavaCard. The iOS attack is a combination of integer underflow and signed/unsigned conversion. They're rather different in their specifics.

      And both are attacks of a type we've seen before. The JavaCard type system one is unusual, but flaws in the type systems of JVMs and Java-derived environments are not unknown. Using integer underflow or overflow to index beyond array bounds is so common it's #3 in 19 Deadly Sins of Software Security.

  6. CmdrX3

    It always staggers me

    How these guys even come up with this stuff. I suppose if I'd ever moved on from the obligatory two basic PRINT and GOTO lines of code that remained the extent of my (and probably many others) foray into coding, I might have a better comprehension. Still we all have our talents I suppose.. I can make a mean bowl of cornflakes with only three main ingredients.

    1. Martin
      WTF?

      A mean bowl of cornflakes with only three main ingredients?

      1) Cornflakes

      2) Milk

      3) ??

      1. I ain't Spartacus Gold badge
        Happy

        Re: A mean bowl of cornflakes with only three main ingredients?

        Bowl...

        1. smartermind
          FAIL

          Re: A mean bowl of cornflakes with only three main ingredients?

          You can't eat the bowl (unless it is made of edible rice paper) hence it is not an ingredient of cornflakes! Doh!

      2. Radio Wales

        Re: A mean bowl of cornflakes with only three main ingredients?

        3) Sugar - At least, in my case.

      3. smartermind
        Mushroom

        Re: A mean bowl of cornflakes with only three main ingredients?

        3. Sugar

        (a basic heart attack inducing, teeth rotting, fattening ingredient of all foods!).

        Cookery101.

    2. Michael Wojcik Silver badge

      Re: It always staggers me

      How these guys even come up with this stuff

      By "this stuff" do you mean the original broken systems, or the attacks that exploit them?

      The former is just run-of-the-mill software development. A team implements a huge system with lots of features. It's too large for anyone to understand the whole thing, or even a significant portion, in depth. Some developers are better than others at producing robust code. There's miscommunication and erroneous and unshared assumptions. And so on.

      The latter is all about scaffolding. Decades ago people were mounting what were then very sophisticated attacks, like the Morris worm: send a malformed request to a program, overwrite part of its memory, trick it into doing stuff it wasn't supposed to be doing. Those were individual, largely unique acts by smart people who put a lot of effort into experimenting with breaking those systems, and even so the attacks were quite simple by modern standards.

      Then other researchers studied those attacks and created more straightforward and simpler techniques, and disseminating that information. So you have, for example, Aleph Null's "Smashing the Stack for Fun and Profit", which explained how to do Morris-worm sorts of stuff. That let a lot of people experiment with breaking a lot of systems, and as their techniques got more and more sophisticated.

      And then people took those more-sophisticated approaches and extended them further. And so on.

      These days, it's quite possible for even someone with no experience in this area to read a few articles, throw some random data at a system until it breaks ("fuzzing"), and then follow essentially a recipe of steps to develop a useful exploit. It may require some understanding of programming, but not a lot. In fact, pretty much the whole process can be automated.

      That's not to say Nohl's work isn't good stuff - it certainly is. But it's not like he just sat meditating for days and suddenly the attack sprang full-formed into his mind. There's a huge body of existing practice for doing this sort of thing.

  7. Anonymous Coward
    Coat

    Hello Array, there!

    Can you hear me?

    Yes.

    Can you hear me now?

    Yes.

    Now?

    Yes.

    So I can reference you from a distance!

    Pass me a coat. Any coat will do, I don't check.

  8. Leeroy

    Please explain, not my area of expertise.

    I just thought the SIM card had a subscriber / number to identify you to the mobile base stations so they could route calls to you, oh and some space to store 150 contact numbers that nobody ever uses any more as they sync everything to either exchange, google or Apple.

    Now I get the impression that the sim has a processor of sorts that can handle some authentication to the network / probably obvious and sensible. Why the heck can it access anything on the device ? Is there any need ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Please explain, not my area of expertise.

      News to me also.

      1. WatAWorld

        Re: Please explain, not my area of expertise.

        http://www.gemalto.com/techno/sim/

        http://www.diva-portal.org/smash/get/diva2:423013/FULLTEXT02

    2. Anonymous Coward
      Anonymous Coward

      Re: Please explain, not my area of expertise.

      There's a variety of applications that telcos can put in the SIM card. For this purpose a specified set of commands exists, called a SIM toolkit, that most modern phones and SIM cards support. The SIM can make calls, send messages and open data connections. It can route a call to a different number than the user dialed in. And much more. If the telcos are nice, they will not require phones to hide these actions from users.

      1. John Tserkezis

        Re: Please explain, not my area of expertise.

        If the telcos are nice, they will not require phones to hide these actions from users.

        [Frowning] Name one single telco that's nice.... Any one will do.

        1. Metrognome

          Re: Please explain, not my area of expertise. @John T.

          You write: "Name one single telco that's nice.... Any one will do."

          Try Swisscom. Reasonable prices, crazy dense network, 4G at all the main population centres, venues and motorways.

          Among the earliest rollouts of VDSL2 and already offering FTTH since a couple of years. Broadband speeds always marginally exceed quoted ones. Couple that with the Swiss supreme Court ruling that mass IP address trawling is illegal (forcing most such collection companies out of the country overnight). IP address monitoring can only be on a case by case basis and only once a case can be made.

          The only naff thing they have done is their attempt to charge for IPTV content that is FTA on satellite. But that's a minor annoyance.

          1. asdf
            Trollface

            Re: Please explain, not my area of expertise. @John T.

            >Try Swisscom. Reasonable prices, crazy dense network, 4G at all the main population centres, venues and motorways.

            Can't resist. Yes but the problem is you have to live in just about the most expensive country in the world (very beautiful which you pay for). Not to mention like with most of central Europe if you were not born there you will never truly fit in.

            1. Metrognome

              Re: Please explain, not my area of expertise. @asdf

              Can't fault you there.

              Although things are not as expensive as you make out (not when take home pay is 80+% of your gross) but after 10 years here I've yet to fit in :-)

    3. Dan 55 Silver badge

      Re: Please explain, not my area of expertise.

      Knock yourselves out.

      When Vodafone says that strong encryption has been mandated for "many, many, years" it means they've been using DES for many, many years.

      1. Anonymous Coward
        Anonymous Coward

        Re: Please explain, not my area of expertise.

        Dude, Vodafone said strong encryption was MANDATED for many years, not that they IMPLEMENTED strong encryption! Watch the weasel lawyer mouth piece closely next time.

        Matters not, they have a huge bag of cash now from that limp wrist CEO at Verizon. Any possible losses barely show up as a rounding error in the banking fees that were paid, never mind the main pile-o-cash(r).

    4. Gagol

      Re: Please explain, not my area of expertise.

      Sim cards can host fullfledged applications (basic text based interface, but the logic is turing complete)

  9. John Smith 19 Gold badge
    Unhappy

    So this would be a "2* " de refernecing excercise in C++ ?

    Reference-to-a_reference-to-an-array.

    Now, is that a fail in the Javacard spec or the Javacard implementation?

    1. Michael Wojcik Silver badge

      Re: So this would be a "2* " de refernecing excercise in C++ ?

      is that a fail in the Javacard spec or the Javacard implementation?

      Implementation. The specification says, right in the introduction:

      The basic runtime security feature imposed by the JCRE enforces isolation of applets

      using what is called an applet firewall. The applet firewall prevents the objects that

      were created by one applet from being used by another applet. This prevents

      unauthorized access to both the fields and methods of class instances, as well as the

      length and contents of arrays.

      Applet isolation is "the basic runtime security feature", and array boundary enforcement is specifically mentioned.

      JavaCard does relax some of the Java security requirements, in particular load-time verification. But Nohl's attack isn't against load-time verification; it's a straight runtime attack on the type system.

  10. MondoMan
    WTF?

    Sprint's got SIMs?

    "in the US, network operator Sprint isn't authenticating or encrypting SIM updates at all"

    Sprint, like Verizon, uses a CDMA network instead of GSM so doesn't even HAVE SIM cards in its phones.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sprint's got SIMs?

      You were right.. until recently.

      Sprint, Verizon, and MetroPCS are all CDMA carriers, but they also have LTE networks. LTE requires the SIM card. So yes, Sprint has SIMs. Sprint's old Nextel iDEN network also used SIMs.

      The CDMA2000 spec actually had a "R-UIM", which was basically a SIM, but of course the US CDMA carriers avoided them, because they wanted lockdown.

      I have 3 Vzw LTE SIMs sitting right here, actually...

  11. smalldot

    possible to block?

    I thought it is the telcos themselves who update SIM card contents using SMS commands. Is there something to prevent telcos from filtering SMS messages based on content? In other words, if SMS is an over-the-air command to SIM and it did not originate from operator's own server, delete it.

    1. Dan 55 Silver badge

      Re: possible to block?

      One of the Android SMS firewall apps like this or this might stop the device forwarding the SMS to the SIM, but then again it's difficult to test...

  12. WatAWorld

    Even CEO bonuses take longer than 2 months from inception to delivery

    So 2 months is a long time for a person to leave something undone.

    But anyone who has ever worked for a big company knows nothing gets done in 2 months, unless it is legislated by government or interrupts business. Even the CEOs bonuses take longer from inception to delivery.

    In engineering, when you have the time you want to think through and carefully consider every change. Then you want regression test everything.

    This is why you don't get blue screens in your car's computer brakes and why basic cell phones.

    Apps, well that is usually regular computer types, so less care is taken, and we all see the results.

    Remember, for a person living or working alone a phone is a life-safety device. It is not just something to socializing. It is the one thing they have to summon help.

    When the problem is in the wild, then things change. Then the risk of bricking a person's phone is less than the risk of leaving the bug there while a fix is tested.

    Again, remember, for a person living or working alone a phone is a life-safety device. It is not just something to socializing. It is the one thing they have to summon help.

  13. Winkypop Silver badge
    Coat

    NSAs fave computer game

    The SMS

  14. Oninoshiko

    and industry wonders

    why security researchers don't bothet to tell them anything, and just skip to making exploit code avalible to every criminal in the world.

    It's the only thing that gets them to act.

  15. despairing citizen
    Stop

    Corporate Definition of Security

    How much money can we make with this (A), how much will it cost to fix (B), how much will WE lose (C)

    IF A - (B + C) > Zero Then we define this system as secure

    This may not be the percieved standard private citizens, or technologist may use, but it is the one most large corporates uses (including on safety critical systems)

  16. Anonymous Coward
    Anonymous Coward

    It sucks

    The only good news is now that the phone companies have been advised, they can be sued once their system is compromised. THEN they will fix the problem.

  17. Knives&Faux

    Could someone 'hack' the Register website and bring it into this century, it's an example of web 1.0.

    1. Paul

      not relevant here, there's a about-the-register forum:

      http://forums.theregister.co.uk/section/forums/vulture/reg_stuff/

      complaining there seems somewhat pointless, I've tried and been ignored.

  18. dajames
    Holmes

    I'm not surprised ...

    ... that nobody is taking this very seriously.

    Things may have improved since I last worked with JavaCard, but in those days the security was all smoke and mirrors anyway.

    The "sandbox" was not implemented on the card itself, but in the PC-based development tools used to develop cardlets. Cardlets have to be signed before they can be deployed, and the process of signing a cardlet involves putting it through a validator that checks that it doesn't make any out-of-bounds memory accesses (among other things). What seems to have happened here is that someone has succeeded in crafting a cardlet that makes an off-limits memory access that the validator suite doesn't pick up.

    The quick fix for this is to fix the validator suite so that it does catch this form of illegal access (and make sure that your signing process includes validation of all cardlets using the updated validator -- don't let developers sign their own cardlets).

    The bigger problem, though, is that the sandbox is not on the card -- and there's no fix for that for existing cards (and unlikely to be any fix in future, as runtime validation is considered to great a computational load to run on-card).

This topic is closed for new posts.

Other stories you might like