So, another security scare that never was?
Anyway, since theSIM remains the property of the carrier, it could be argued that they were only hacking their own systems, in order to fix the vulnerability. They haven't actually hacked anyone's phone.
A terrifying weakness at the heart of global mobile phone security has turned into a damp squib: networks scrambled so fast to patch the flaw that the researcher behind the discovery isn't making the details public. It's claimed five carriers pushed out fixes to their customers by exploiting the bug. The flaw was supposed to …
"...another security scare that never was?"
As the article notes in the last paragraph, it's more likely that this was a serious flaw, as he said, but that's it's been fixed, as he said.
Sorry to be all cynical about your cynicism, but maybe, just maybe, the expert guy knows what he's talking about?
"Only, it turns out the cryptography isn't weak, the process is controlled and the undisclosed flaw remains undisclosed."
56-bit DES is still excessively weak; he was eliciting a known (in plain text) response from the SIM and using a rainbow table to get the key. Which will still work as far as I know. As for the attack... I don't know the details, but here's a few interesting points:
1) JavaCard does away with the code verifier that standard Java has, in recognition of the limited die size and storage space of the JavaCard device. I do believe most code that'd try to read or write outside your program's address space would be caught by the verifier.
2) JavaCard implementation specs permit an MMU but do not demand one; it looks like some implementations use no hardware security (relying on the virtual machine to catch faults), some use an MMU (which would make this attack difficult.) Some use a setup where they encrypt each program's address space with a different key, no MMU but the assumption would be without knowing the key one may be able to crash another app by writing garbage into it's address space, but not patch it to do nefarious things. Of course if they were using some app key, the SIMs will all have the same apps with same keys, and the apps could in fact be patched since the crypto key is already known.
I'm guessing the JavaCard on these SIMs uses no MMU, and the JavaCard software was simply updated to close whatever exploit was being used to write outside the apps' address space.
Some day last week, or maybe it was over the weekend, my phone crashed. This isn't a normal thing for me as this C905a has been stable since I got it. (The K850i was another story altogether, but I digress.) It occurred to me today that maybe AT&T was probing SIMs to look for vulnerable ones and my SonyEricsson didn't react well to the probing. It crashed once, then after rebooting it crashed again, like since the first hit didn't elicit a response maybe we need to hit it again.
Maybe. Who knows.