updated 11:44 pm EDT, Thu August 1, 2013
Carriers update SIM cards with Java flaw, preventing costly recall
By exploiting the same Java-based flaw that caused the problem in the first place, most major wireless carriers have fixed a critical problem with SIM cards crucial to mobile phones that could have revealed personal data from cellphones to malicious parties. The counter-hack saved the wireless industry millions of dollars that it would have cost to replace all the affected SIM cards.
The vulnerability was discovered by cryptographer Karsten Nohl of the German Security Research Labs. Nohl's research found that two targeted SMS texts could allow a hacker to send premium text messages, re-direct and record calls and potentially undertake payment system fraud of near-field communication (NFC)-equipped devices.
According to Nohl, the bug is the result of incorrectly configured and outdated Java card software, combined with weak encryption keys. There is no way of the user determining if a SIM card has the vulnerable version of the software. Nohl's testing discovered that some shipments could be compromised, while others had newer code, protecting them from intrusion. Around a quarter of the cards Nohl and his team tested were vulnerable, translating to around 500 million devices with susceptible SIM cards worldwide.
Regarding the unique fix, Nohl praised the wireless companies. "They're adopting hacking methods to make it more secure," he said at the Black Hat conference. "Abusing the Java vulnerabilities to update the card is the neatest outcome of this."