It took a long time but the humble SIM card that sits within your phone, along with at least seven billion others, has finally been hacked. Of the seven billion modern SIM cards in circulation, it is suspected that hundreds of millions (yes, hundreds of millions) are susceptible. What does this mean? The hacks allow a would-be attacker to infect your SIM with a virus that sends premium text messages, or records your phone calls — and, in some cases, access the secure, sandboxed details stored on your SIM by mobile payment apps, giving a hacker access to your bank and credit card details.
SIM cards are not merely a piece of laminated memory that stores the data that your phone needs to connect to a cellular network. In actuality, the SIM card in your phone is actually a small computer, with memory, a processor, and even an operating system. As you can see in the diagram below, there is a chip beneath those gold contacts, and on that chip there is a processor, ROM (firmware that stores the OS and SIM apps), EEPROM (which stores your phone book, settings, patches), and RAM (for use by the SIM’s OS and apps). In the photo below of a disassembled SIM card, you can clearly see that this is quite a complex computer chip.
Unfortunately, like any computer chip that runs an operating system and apps, a SIM card can be hacked. In this case, modern SIM cards run a very simple OS that loads up Java Card — a version of the Java virtual machine for smart cards (of which SIMs are a variety of). Java Card essentially runs small Java applets, and each applet is encapsulated and firewalled (sandboxed) by the Java VM, preventing sensitive data from leaking to other apps. Your phone interacts with these apps via the SIM Application Toolkit (STK) to display information on your screen, and to interact with the outside world. To load apps onto the SIM or to update them, hidden text messages are sent by the carrier, containing over-the-air (OTA) programming in binary form. These messages are signed with a cryptographic key, so that the SIM knows that these messages have originated from a trusted source.
Now, German security researcher Karsten Nohl has discovered a way of finding out that all-important cryptographic key. By sending his own OTA (over the air) SMS’s that aren’t signed with the correct key, he discovered that some phones pop up an error message that contains a cryptographic signature. Then, using rainbow tables (a list of plaintext keys/passwords and their encrypted equivalent), Nohl found he could discover the SIM card’s cryptographic key in about one minute. Once he had this key, he could send apps and viruses to the SIM card that can send premium text messages (racking up huge bills), re-route or record calls, collect location data — you name it, with access to the SIM, you can do just about anything.
And if that was not enough Nohl also found a separate bug in Java Card, essentially an out-of-bounds error (asking for the sixth item in a list when the list only contains five items), that can give an app/virus full root access to your SIM card — effectively breaking out of the sandboxing provided by the Java Card VM. With root access, these malicious apps could then obtain any data stored on your SIM, including your address book, or sensitive banking details stored by mobile payment apps.
According to Nohl, he estimates that out of 100 mobile phones, he could gain root access to the SIM card on 13 of them. SIM cards that use newer, stronger encryption (Triple DES), don’t appear to be susceptible to these attack vectors. Verizon and AT&T say they are not vulnerable to the vulnerabilities exposed by Nohl. In essence, mitigation of this attack comes down to the encryption standard used by your SIM card — so if you use a SIM that’s more than a few years old, you should probably get a new one. Most carriers will provide a new SIM if you ask and I would bet especially if you mentioned your knowledge of this new problem.