Source - http://www.forbes.com/
By - Parmy Olson
Category - Hotel Reservations In Santa Clarita
Posted By - Hampton Inn Santa Clarita
By - Parmy Olson
Category - Hotel Reservations In Santa Clarita
Posted By - Hampton Inn Santa Clarita
 |
| Hotel Reservations In Santa Clarita |
Smartphones are susceptible to malware and carriers have enabled NSA
snooping, but the prevailing wisdom has it there’s still one part of
your mobile phone that remains safe and un-hackable: your SIM card.
Yet after three years of research, German cryptographer Karsten Nohl
claims to have finally found encryption and software flaws that could
affect millions of SIM cards, and open up another route on mobile phones
for surveillance and fraud.
Nohl, who will be presenting his findings
at the Black Hat security conference in Las Vegas on July 31, says his
is the first hack of its kind in a decade, and comes after he and his
team tested close to 1,000 SIM cards for vulnerabilities, exploited by
simply sending a hidden SMS. The two-part flaw, based on an old security
standard and badly configured code, could allow hackers to remotely
infect a SIM with a virus that sends premium text messages (draining a
mobile phone bill), surreptitiously re-direct and record calls, and —
with the right combination of bugs — carry out payment system fraud.
Payment fraud could be a particular problem for mobile phone users in
Africa, where SIM-card based payments are widespread. The deployment of
so-called NFC payment technology, already slow to take off, could also
be at risk, Nohl says, as well as the ability for carriers to track
charges to each caller’s account.
There’s no obvious pattern to the flaw beyond the premise of an older encryption standard. “Different shipments of SIM cards either have [the bug] or not,” says Nohl, who is chief scientist at risk management firm Security Research Labs. “It’s very random.”
There’s no obvious pattern to the flaw beyond the premise of an older encryption standard. “Different shipments of SIM cards either have [the bug] or not,” says Nohl, who is chief scientist at risk management firm Security Research Labs. “It’s very random.”
In his study, Nohl says just under a quarter of all the SIM cards he
tested could be hacked, but given that encryption standards vary widely
between countries, he estimates an eighth of the world’s SIM cards could
be vulnerable, or about half a billion mobile devices.
Nohl, who was profiled by Forbes’ Andy Greenberg in 2011 for his work on breaking mobile encryption standards, believes it unlikely that cyber criminals have already found the bug. Now that word of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes.
That effort may already be underway. Nohl says at least two large carriers have already tasked their staff with finding a patch for the SIM vulnerability, which they will share with other operators through the wireless trade body GSMA.
“Companies are surprisingly open to the idea of working cooperatively on security topics because the competition is somewhere else,” says Nohl. “The competition is organized crime, not AT&T versus T-Mobile.” (The situation in similarly in finance, where payment services like MasterCard, Visa, and American Express will work together under industry association EMVco to improve security standards for smart cards.)
The market for SIMs is almost entirely fed by mobile carriers, and supplied by two leading global vendors, Gemalto and Oberthur Technologies. Both have profited heavily from the huge growth in mobile handsets: ten years ago there were 1 billion SIM cards worldwide, and today there are more than 5 billion, says ABI Research analyst John Devlin, though the market is slowly reaching a plateau. SIMs are thought to be one of the most secure parts of a phone, he added, and as the carrier’s property, are “key to their relationship between you and I, the subscriber.”
Vodafone would not answer questions about the level of encryption its SIM cards used, and referred all media questions to GSMA. Both Verizon and AT&T said they knew of Nohl’s research, but said their SIM profiles were not vulnerable to the flaw. AT&T added that it had used SIMs with triple Data Encryption Standards (3DES) for almost a decade; Verizon did not specify why its SIMs were not vulnerable.
The London-based GSMA said it had looked at Nohl’s analysis and concurred that “a minority of SIMs produced against older standards could be vulnerable.” It said it had already provided guidance to network operators and SIM vendors who could be impacted by the flaw. “There is no evidence to suggest that today’s more secure SIMs, which are used to support a range of advanced services, will be affected,” a spokesperson added.
Nohl, who was profiled by Forbes’ Andy Greenberg in 2011 for his work on breaking mobile encryption standards, believes it unlikely that cyber criminals have already found the bug. Now that word of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes.
That effort may already be underway. Nohl says at least two large carriers have already tasked their staff with finding a patch for the SIM vulnerability, which they will share with other operators through the wireless trade body GSMA.
“Companies are surprisingly open to the idea of working cooperatively on security topics because the competition is somewhere else,” says Nohl. “The competition is organized crime, not AT&T versus T-Mobile.” (The situation in similarly in finance, where payment services like MasterCard, Visa, and American Express will work together under industry association EMVco to improve security standards for smart cards.)
The market for SIMs is almost entirely fed by mobile carriers, and supplied by two leading global vendors, Gemalto and Oberthur Technologies. Both have profited heavily from the huge growth in mobile handsets: ten years ago there were 1 billion SIM cards worldwide, and today there are more than 5 billion, says ABI Research analyst John Devlin, though the market is slowly reaching a plateau. SIMs are thought to be one of the most secure parts of a phone, he added, and as the carrier’s property, are “key to their relationship between you and I, the subscriber.”
Vodafone would not answer questions about the level of encryption its SIM cards used, and referred all media questions to GSMA. Both Verizon and AT&T said they knew of Nohl’s research, but said their SIM profiles were not vulnerable to the flaw. AT&T added that it had used SIMs with triple Data Encryption Standards (3DES) for almost a decade; Verizon did not specify why its SIMs were not vulnerable.
The London-based GSMA said it had looked at Nohl’s analysis and concurred that “a minority of SIMs produced against older standards could be vulnerable.” It said it had already provided guidance to network operators and SIM vendors who could be impacted by the flaw. “There is no evidence to suggest that today’s more secure SIMs, which are used to support a range of advanced services, will be affected,” a spokesperson added.
No comments:
Post a Comment