Hundreds of millions of mobile phone owners worldwide risk hackers breaking into their bank accounts and private data due to a flaw in Sim card software.
A hacker has revealed crooks could bust open confidential phone data simply by sending a remote text message with an embedded digital key.
Mobile phone owners mostly at risk are those in Africa, where Sim cards run on older technology that is easier to break than more modern cards in the US, Europe and Asia.
But the risk is these phone owners have the most to use because they tend to login into their banks by phone as they do not have laptops or tablets at home.
Software security consultant Karsten Nohl broke the Sim card code and has sent his findings to the GSM Association (GSMA), the international trade body for mobile phone operators.
Bogus message
The organisation admits some older Sim cards have vulnerabilities to the hack.
Nohl’s code can break into a mobile phone by hiding the digital key in a text message.
The key is a short code that authenticates the phone user’s identity with the operator. Once the ID is confirmed, a third party can remotely strip the data off the Sim card and access the user’s account as if it were their own.
Modern phones have extra security that rejects the bogus token, but older Sim cards running on a 1970s Digital Encryption Standard can be fooled into accepting the hacker’s requests.
“Disclosing the issue to the GSMA has given us a head start on looking at how many cards are at risk,” said a GSMA spokesman.
Millions at risk
“Certainly a large number could be involved, but they work off older technology that is not prevalent in many countries.”
Nohl has said he has tested the secret code to find that he can hijack about a quarter of the phones he calls. Worldwide, that could add up to between 500 million and 750 million phones worldwide.
“Sim cards are at the heart of all mobile phone traffic,” said Nohl. “They encode texts, calls and internet usage. If a hacker can control the card, they can read any of the confidential information it carries.
“Mobile phone companies suggest their security prevents this, but clearly I have proved it does not.”
The GSMA explained that once they have tested the code, a remote firmware update could easily shut the hacker’s backdoor and render the bogus authentication useless.