Earlier today, computer security expert Karsten Nohl revealed that millions of cell phone users could be at risk due to a vulnerability in their SIM cards. A malicious user can send a special message to the SIM card and take control of your phone.
Whenever a company releases a SIM Card update, it does so using a binary SMS message. Unlike regular SMS messages that texters are familiar with, the binary SMS message is sent directly from the company to the SIM card. "It's used a lot in manufacturing functions," Nohl told ABC News.
Hackers first send out a binary SMS to the phone they are attacking. They receive an error message from the phone, but that error message is digitally signed with a cryptographic signature. The hacker can reverse engineer the signature to reveal a key, which can then be exploited to send their own text messages, change the phone's voicemail number, or install their own apps on that phone. "All in all, the process takes about three minutes," said Nohl.
Nohl posted his preliminary findings
here, and is also due to speak on them at the Black Hat USA conference later this month. He
told the BBC that many of the vulnerable SIM cards are based on 1970s technology called Digital Encryption Standard. A malicious user on a regular computer can crack DES within two minutes. They can send texts to premium rate numbers and download their own apps to your phone. Even worse, they can also listen in on your voicemail, change your voicemail number, and track your location. How sneaky is this? If the hacker is smart about it and doesn't either download apps or change the voicemail number, a hacked user doesn't even know anything is wrong until he or she gets the next cell phone bill.
According to Nohl, roughly one-eighth of the world's SIM cards--as many as 700 million phones--are susceptible to this vulnerability. AT&T and T-Mobile say that so far, none of their customers are among them. So far, anyway.