Hackers can remotely gain control over and clone mobile phone SIM cards to commit financial crimes or engage in eavesdropping, German researchers have found.
The research results, which have been presented to the Geneva-based International Telecommunications Union, have been described as "hugely significant".
"These findings show us where we could be heading in terms of cyber security risks," ITU Secretary General Hamadoun Touré told Reuters, adding the agency would notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat.
Karsten Nohl, the leader of the Berlin’s Security Research Lab based team, who has identified the risk, said the technique only works on SIMs that use the old DES encryption technology. According to the estimates, these might account for at least 500 million phones susceptible to the attacks. Nohl said he believed the number of vulnerable devices could eventually grow, if other researchers start looking into the issues that have been identified and find further vulnerabilities.
Hackers have been trying to figure out how to crack SIM cards for many years. Access to data stored on these tiny devices located in the phones of authorised users would enable the malevolent agents to act in disguise, seemingly on behalf of the victims.
"We become the SIM card. We can do anything the normal phone users can do," Nohl said. "If you have a MasterCard number or PayPal data on the phone, we get that too," if it is stored on the SIM, he said.
The good news is the technique only allows access to data stored on the SIM – payment applications, using the phone’s internal memory and no the SIM, are safe. However, Nohl has warned that there are other handy approaches to steal such information.
GSMA, the international association of mobile phone operators, has also reviewed the research. "We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," said GSMA spokeswoman Claire Cranton.
According to Karsten Nohl, the biggest portion of the most vulnerable devices is probably located in Africa, where payment operations are regularly run through apps storing data directly on SIM cards. The type of the mobile phone or the operation system used doesn’t have any effect on the susceptibility.
The German team will publicly present the detailed findings at the Black Hat hacking conference in Las Vegas at the end of July.