Up to 750 million mobile phones could be hacked
Karsten Nohl, 31, a German leader of Security Research Labs, said their group has managed to crack the “Holy Grail” of mobile phones, SIM cards, which contain key phone user data and allow operators to identify subscribers as they use networks.
They found out that SIMs based on Data Encryption Standard (DES), a security standard that is becoming obsolete but is still used on at least one out of eight SIMs around the world, could be affected by a bug which gives a hacker total remote control access to a user’s phone.
“We become the SIM card. We can do anything the normal phone users can do. If you have a MasterCard number or PayPal data on the phone, we get that too,” Nohl said.
“More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”
The hacker said it took him a minute to decrypt the phone code with the use of unseen text messages (OTA) that are sent to mobile phones’ operators to change the user’s settings. By the time he has finished with the code, he can now handle a phone from his own computer without the person ever suspecting anything.
Around 750 million mobile phone users might be in danger, according to Nohl. His research team has estimated that Africans are the most vulnerable users, as banking is widely done there via mobile payment systems with credentials stored on SIMs.
All types of phones are at risk of hacking, including iPhones from Apple Inc, phones that run Google Inc's Android software and BlackBerry Ltd smartphones, representatives at Security Research Labs said.
Karsten Nohl has already warned the UN and companies about his findings and hopes they will fix the issue before hackers repeat his break. He will disclose the details of SIM cracking at a Black Hat hacking conference that opens in Las Vegas on July 31.
The UN’s ITU described the research conducted by Nohl’s team as “hugely significant”, because it shows “where we could be heading in terms of cyber-security risks”.
In the statements acknowledging the flaw, the companies said they are working on fixing it, while authorities try to calm down ordinary users claiming that there is no immediate threat of criminal damage.
“This is not what hackers are focused on,” said John Marinho, Vice President of Technology and Cybersecurity at CTIA. “This does not seem to be something they are exploiting.”
Voice of Russia, RT, Reuters