SIM flaw boosts mobile data container argument

With 40-year-old encryption find on Subscriber Identification Module cards, researcher says at least 500 million phones may be vulnerable

Internet cyber security

The discovery of 40-year-old encryption standards in the SIM cards in possibly hundred of millions of mobile phones bolsters the argument for isolating corporate data in devices.

Karsten Nohl, a cryptographer with Security Research Labs, reported recently that he could trick a phone into sending him the private key used in encrypting data stored in the Subscriber Identification Module, commonly known as a SIM card.

Because of the age of the encryption, the key can be broken in a couple of minutes and then used to sign malware that can be sent to the phone as an update to the device.

SIM cards are found in 7 billion mobile phones worldwide, but how many use the outdated Data Encryption Standard is up for debate.

Nohl estimates at least 500 million phones are vulnerable to the attack. The International Telecommunications Union, an agency within the United Nations, told Reuters the finding was "hugely significant," and said it notified regulators and other government agencies in nearly 200 countries

On the other hand, the GSM Association, a mobile communication trade group, said in a statement that the older standard was in a "minority" of SIM cards and was not used in today's devices.

[Also see: Researchers find way to tighten control over mobile device data]

"The impact of the vulnerability does really come down to the extent of the DES-based SIM deployment," said Jon Oberheide, chief technology officer for mobile authentication vendor Duo Security. "It's not surprising that GSMA is trying to downplay the impact while SRL is trying to bring broad attention to the issue, so I'd expect the truth to be somewhere in between."

Fixmo, which provides technology that isolates corporate data from a SIM card and from software on a device, said the finding presented a good argument for using its "container technology."

"One option is to disallow storing data on SIM cards using [mobile device management, or MDM] policy controls, though the depth of these controls vary greatly by device and platform," Tyler Lessard, chief marketing officer for Fixmo, said in a soon-to-be-published blog sent to CSOonline.

"Another option is to use containerization technology to ensure that no corporate data moves outside the controlled container environment on the device, effectively disallowing it to move to any external media such as the SIM card or a [Secure Digital, or SD, memory card]."

Fixmo is one of many vendors that provide some type of container technology. Others include Good Technology and Mocana. Samsung released this year its Knox architecture for Galaxy phones and tablets, which the Pentagon has approved for government and military use.

Carriers use the encryption technology in SIM cards in authenticating software updates. Nohl found that if he sent a binary code via text messaging to a device using a DES-based SIM card, the phone would reject the unsigned code and send back error code containing the card's 56-bit private key, which could be easily cracked using well-known techniques.

The decrypted key could then be used to sign malicious software updates that the device would mistake as coming from a legitimate source.

"The attack vector of getting the SIM to cough up a signature in order to brute-force the small DES key space is clever," Oberheide said.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)