The technique went beyond sim cloningby Lucys Xig lucysxig
The technique went beyond sim cloning
If you thought government analysts intercepting your phone's metadata was bad, here is something potentially more frightening: cyber crooks hijacking your phone to eavesdrop, impersonate you and ransack your accounts.
A German cryptographer says he has discovered encryption and software flaws
in hundreds of millions of phones, leaving them vulnerable to attack.
Karsten Nohl revealed his findings fully and publicly for the first time at the Black Hat conference of hackers in Las Vegas on Wednesday, startling peers who had considered sim cards to be relatively safe technology.
Nohl, 31, a respected hacker and specialist on phone security, said the vulnerability allowed outsiders to obtain a sim card's digital key, a 56-digit sequence that exposes the chip to manipulation.
"What this means is that your sim card can work against you. The hacker can redirect calls, rewrite numbers, listen in on calls." A criminal hacker, using an ordinary computer, could also commit payment fraud remotely controlling your phone.
Nohl's team at Security Research Labs in Berlin experimented on more than 1,000 sim cards during a two-year investigation.
"The hacker starts by sending a text message to the sim card that the user doesn't even get to see, and the sim card in some cases responds with data that can be run through with cryptanalysis. The resulting cryptographic key allows the hacker to send well-signed Java software to the sim card. And then do all kinds of stuff."
The technique went beyond sim cloning, a well-known practice based on breaking the authentication algorithms of old cards, he told the Guardian before his presentation. "This time we break underneath the authentication algorithm pretty much everything that was stored in the card."
The bug was rooted in a four-decade-old coding method known as data encryption standard (DES), which is used in about half the world's 6bn mobile phones. Many now use an upgraded method known as Triple DES but those that used the old version were vulnerable, he said.
Nohl has estimated that more than 500m GSM devices were affected. He notified the London-based GSM Association earlier this year to give manufacturers and operators time to start plugging the encryption hole before demonstrating his findings at Black Hat, an annual gathering of cyber security professionals.
Some companies had responded "extremely fast" and begun patching the vulnerability, said Nohl. He believed even the slower ones would have sufficient headstart on criminals, who would need at least six months to exploit the knowledge he shared this week.
The industry had an incentive to be proactive because the bug would let criminals siphon revenue directly, he said. Several manufacturers and operators confirmed to the New York Times and Forbes that they were investigating Nohl's findings and were confident modern sim cards were secure.
Joanne Harris and Jessi Duff have been together for 11 years and want to marry at home in Virginia. They had a commitment ceremony back in 2006, which was meaningful to them, but even their four-year-old son Jabari knows that they aren't actually married; he wants them to "really get married," and soon. At a young age, he knows that marriage is the language of commitment in our culture, he knows that his parents have made that commitment, and he doesn't get why they can't marry. In addition, Joanne and Jessi worry that if Joanne's epilepsy causes her to be incapacitated, Jessi may not be able to make medical decisions for her since Virginia considers her a legal stranger, plus Joanne's family hasn't always supported their relationship and doesn't agree with Joanne's wishes regarding end-of-life decision-making.
After hoping for years to be able to marry in Virginia, Christy Berghoff, an Air Force veteran, and Victoria Kidd finally got married in DC two years ago after that became a possibility. But because of Virginia's marriage law, Christy is considered married when she's at her job in DC on weekdays, but loses that marriage (at least in the eyes of the Commonwealth) during her commute home to see Victoria and their eight-month-old daughter Lydia in the evenings. It's also frustrating to Christy and Victoria that, as a married veteran, Christy should be able to qualify for a home loan from the Veterans' Administration. But since Virginia considers Christy and Victoria to be unmarried, they are not eligible for the full VA home loan guarantee that married heterosexual couples would get.
We're counting on these stories, as well as those in the marriage cases the ACLU has pending in Pennsylvania , North Carolina, Illinois, and New Mexico, to convince the courts that marriage discrimination isn't fair, that it harms people who have made the commitment at the heart of marriage, and that once you're married, you're married. People's marriages shouldn't blink on and off like cellphone service as they travel from work to home or from state to state.
Created on Dec 31st 1969 19:00. Viewed 0 times.