DES SIM card vulnerability. Is there any reason for concern?

Yesterday, an article entitled “750 million mobile phones are vulnerable to attackers due to insufficiently protected SIM cards” was published on Habré. Habr was one of the many network resources that published information about a vulnerability found in SIM-cards. The news spread like lightning. On request "750 million SIM-cards" google offers 159,000 results. In this article I will try to describe in more detail what this vulnerability threatens and whether there is a cause for concern.

750 million mobile phones hacked. Is it really?

My work is quite closely related to SIM cards, so for yesterday I received more than a dozen references to various articles that affected this problem from colleagues / friends / acquaintances. Unfortunately, when journalists write articles on such topics, they “slightly” distort the essence. This happens either by chance (due to the small number of specialists in this field who could give an expert assessment) or deliberately (in pursuit of high ratings), but some articles are written so ominously that any mobile phone user simply cannot help there are reasons for concern.




')


In reality, the problem is not so terrible as journalists of respected publications try to tell us about it.

Little technical details

We are not talking about a virus that infects SIM cards. The virus, first of all, is able to multiply on its own. In this case, when using the vulnerability, one SIM-card can not get remote access to another SIM-card, so we are not talking about a virus, but about a remote attack on a SIM-card.

Remote attack is possible only on those cards that simultaneously meet the following conditions:

1. OTA (Over-the-air) support is a technology that allows you to remotely control your SIM card by sending special binary messages to it. Using such messages, operators can
   
   • change the SIM menu and record new content provider offers on the card
   • change the network name that is displayed on the phone screen (some operators used this trick during rebranding)
   • write on the card a list of networks for priority registration in roaming, etc.
2. SIM card supports PoR function . PoR (proof of receipt) is a function that, in response to an OTA message, sends the result of the command execution. In practice, not all SIM cards support this feature.
3. The OTA message is encrypted using the DES algorithm

Reading an SMS, sending an SMS or making calls from a victim's SIM card is possible only if the card supports java card . Java card is a special programming language that allows you to create standard applications for SIM-cards.

The cost of SIM cards with Java support is slightly higher than the cost of SIM cards with the same amount of memory, but without java support. That is why many operators do not buy java cards.

How big is the danger and is it possible to avoid hacking?

It is possible to apply three methods of protection against this attack:

1. Malicious OTA messages can be filtered at the network level. A certain analogue of the Firewall is used, which, when passing messages through the SMS center, allows you to cut off SMS with characteristic signs. Thus, malicious messages simply will not be delivered to the victim’s number (SIM card).
2. Update SIM cards using OTA messages. Depending on the type of card, the operator can remotely change the DES algorithm to 3DES on your SIM card, block the possibility of installing java applets on the SIM, etc.
3. Physical replacement of a SIM card with a newer SIM that cannot be subjected to the described attack.

Fortunately for many SIM card holders, Carsten Nol is the so-called “white hacker”. After the vulnerability was discovered (about 3 months ago), Mr. Nolan reported it to the GSM association, which in turn notified the mobile operators. Thus, the operators had enough time to analyze the possible threat and take measures to prevent it.