German cryptographer Karsten Nohl claims to have broken the encryption standard on certain types of SIM cards. The exploit could allow a virus to be uploaded and then carry out payment system fraud, redirect and record calls, and more.
Nohl says that cards which are affected vary by country and carrier – since encryption standards vary between countries. According to his estimates about an eighth of the world’s SIM cards could be affected, or about half a billion devices.
This marks the first time SIM cards have been compromised, as until now it was thought that SIM cards were unhackable. The Data Encryption Standards (DES) security encryption developed back in the 70’s has finally been cracked, though.
The four major German carriers, as well Verizon and AT&T in the US have since commented that their SIM cards are not vulnerable. AT&T has even said that it had moved on to triple DES (3DES) almost 10 years ago.
Nohl claims that the dated security standard and badly implemented Java Card code could allow him to compromise the encryption keys of certain SIM cards in less than a minute. He has since shared his findings to various carriers and the GSMA in an effort to help close the exploit before it becomes widespread amongst cybercriminals.
Nohl is expected to share his findings at the Black Hat security convention in Las Vegas on July 31.