SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Cracking SIM cards has long been the Holy Grail of hackers because the tiny devices are located in phones and allow operators to identify and authenticate subscribers as they use networks.
A German cryptographer Karsten Nohl, the founder of Security Research Labs claims to have found encryption and software flaws that could affect millions of SIM cards, and allows hackers to remotely gain control of and also clone certain mobile SIM cards.
This is the first hack of its kind in a decade. Nohl will be presenting his findings at the Black Hat security conference this year. He and his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS.
According to him, Hackers could use compromised SIMs to commit financial crimes or engage in espionage. Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone.
The exploit only works on SIMs that use an old encryption technology known as DES. DES is used in around three billion mobile SIMs worldwide, of which Nohl estimates 750 million are vulnerable to the attack.
GSMA, which represents nearly 800 mobile operators, will notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat and also reach out to hundreds of mobile companies, academics and other industry experts.
Nohl believes that cyber criminals have already found the bug. Now the theoretical details of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes.