SIMs Pwned With One Message! (Only About A Decade Too Late)

Written by Frank Hayes
July 31st, 2013
We were going to do an in-depth teardown this week of one of the scariest-sounding cyberthreats we'd ever heard of: the ability to take control of a mobile phone just by sending it a carefully crafted malicious text message. The implications for mobile commerce, mobile payments and even in-store use of mobile phones sounded catastrophic for retailers. And based on early media descriptions of the work of Karsten Nohl, a security researcher at SR Labs in Berlin, it looked like a quarter of GSM phones might be at risk.

Then it was more like 10 percent of all phones. Now it turns out that, in the U.S. at least, SIMs that use 56-bit DES encryption—the security weakness that the attack depends on—haven't been sold for "at least seven years" by T-Mobile, "nearly a decade" by AT&T, and never by Verizon or Sprint. That means there's still a potential risk to any customer with a decade-old phone, but there's probably not enough of them to make them worthwhile targets for thieves. That makes Nohl's talk at Black Hat this week in Las Vegas interesting, but largely academic—which is exactly the way we prefer our cyberthreats.