A mobile security expert in Germany says he found a flaw in the encryption technology of some mobile phone SIM cards holding personal and payment details.
Karsten Nohl, founder of Security Research Labs in Berlin, told The New York Times he was able to access the SIM card digital key and send a virus to the card through a text message.
The hack allowed Nohl to eavesdrop on calls and make mobile payments through the phone. In some mobile payment models, the SIM card on the handset holds a consumer's personal and payment card data. In other models, those details are stored in a cloud-based server.
Nohl predicts that as many as 750 million mobile phone users could be affected by such a hack, and he plans to advise technology companies how to protect against this attack at the Black Hat conference on July 31 and Aug. 1 in Las Vegas. Security Research Labs also has posted information about the findings on its website.
"We can remotely install software on a handset that operates completely independently from your phone," Nohl told the Times. "We can spy on you."
Nohl shared his research with the Global System for Mobile Communication Association, which in turn has alerted network providers and SIM vendors about the older data encryption standard, or D.E.S., that Nohl was able to hack, according to the Times. Two prominent SIM card providers Gemalto, a Dutch company, and Giesecke & Devrient, based in Germany acknowledged to the Times that they received information from the association related to Nohl's findings.
Gemalto said it was studying Nohl's first outline, while Giesecke & Devrient told the Times that it had begun to phase out SIM cards using the D.E.S. encryption in 2008, and that its SIM card would not be vulnerable to the attacks that Nohl used.
Nohl told the Times such a hack would allow a criminal to steal data from the SIM card, steal the consumer's mobile identity, and charge payments to a mobile account. Nohl could not be reached for comment prior to deadline.
Security Research Labs says chipmakers and SIM card vendors can defend against potential exploitation by using "state-of-art cryptography with sufficiently long keys" and implementing secure Java virtual machines.
In addition, handsets need an additional text-message firewall that users could set up to allow messaging service from trusted sources, while discarding others, the lab says.
Finally, mobile networks also should provide text-message filtering for binary data messages, which appear directly on a phone's screen rather than a message inbox.