“Sim
cards generate all the keys you use to encrypt your calls, your SMS and your
internet traffic. If someone can capture the encrypted data plus have access to
your Sim card, they can decrypt it. Operators often argue that it's not possible
to listen in on 3G or 4G calls - now with access to the Sim card, it very much
is.”
Dr.
Karsten Nohl, founder of Security Research Labs in Berlin, Germany, speaking to the BBC (British Broadcasting
Corporation) on Sunday July 21st 2013 on the issue of SIM Hacking
Breaking News folk! If you though your Debit Card
and Credit Card Hacks, especially those with the new supposedly more secure
RFID versions were your main headache, especially if you live in a First World Country
such as America, I’ve got more worries to pile on your plate. The video below
is just a reminder.
The
bearer of this bad news is Dr. Karsten Nohl,
founder of Security Research Labs in Berlin, Germany and a PhD in Computer
Science from the University of Technology. His name should be familiar
to you, especially if you follow Hacking and the Research Branch of Telecoms.
And here’s Dr. Karsten
Nohl along with his PhD Research
Credentials:
He’d
revealed back in April 2010 that it’s easy to hack the 64 bit A5/1 Codebooks schema of GSM (Global System Mobile)
Voice Networks using off the shelf hardware and Open Source software and
eavesdrop on conversations as explained in Q&A: Researcher
Karsten Nohl on Mobile eavesdropping, published January 1, 2010 4:00 AM PST
by Elinor Mills, CNET News.
Now
it’s 2013 and he’s up to no good again with news to rock your world or at least
reveal how vulnerable Telecom Networks are! He’s revealed that SIM (Subscriber
Identification Modules) Cards used in GSM (Global System Mobile) Phones can be
hacked by simply sending a SMS (Simple Messaging Service) or Text Messaging faking
the Telecom Networks Authentication Protocols.
Say
what!
This
at a time when Text Messaging is dying Worldwide, especially in Developed World
Countries as stated in my blog
article entitled “CTIA
reports a 5% decline in US Texting as Instant Messaging ramps up - WhatsApp's
now Top Gun as The Dead Zone leads Star Trek Into the Darkness” albeit it
may see something of a Renaissance in Developing World Countries. But shocking nonetheless!
This
results in the Mobile UE (User Equiptment) i.e. Mobile Feature Phone,
Smartphone or 3G or 4G Modem sending back the following pieces of crucial
encrypted information as stated in the article “Millions of Sim cards are
'vulnerable to hack attack'”, published 22 July 2013 Last updated at 12:58
GMT, BBC News and “SIM
card flaw said to allow hijacking of millions of Phones”, published July
21, 2013 10:46 AM PDT Steven Musil, CNET News:
1. IMSI
(International Mobile Subscriber Identification)
2. IMEI
(International Mobile Equiptment Identification)
3. 56-digit Network
Authentication Code
In
essence, with this information, a SIM Card for any Mobile Phone, SmartPhones
included, can be cloned like a Debit or Credit Card and used to access the Customer
Mobile Account. That means not only access to SMS Messages and making Voice
Calls, but also 3G and 4G Internet and worst of all, Mobile Banking and Mobile Money
Banking Platforms, allowing the hacker the ability to steal your Money.
He’s
passed on this info to the GSMA (Global System Mobile Association) and the ITU
(International Telecommunications Union) who are currently looking into the
matter as it implies the unthinkable: 3G and 4G Networks that use the SIM Car
to authenticate access are hackable.
Granted,
according to Dr. Karsten Nohl,
this vulnerability exists in 1 in 8 Mobile devices that uses a SIM Card and is
made worse by the fact that the Telecom Provider still use older encryption
schemas to encrypt the above information known as DES (Digital
Encryption Standard), a cryptographic method developed by IBM back in the
70’s….and which is STILL being used today with no improvement.
So for those rushing the BOJ to a quick decision
on Mobile Money Banking as noted in my blog article
entitled “BOJ
stalling on Mobile Money Regulations as new entrants appear - Herald for the
Cashless Society as SmartPhones and Mobile Money are The Perfect Storm and
Curse of Chucky”, this is yet another concern aside from the possibility of
Money Laundering; it’s now possible to steal your Money using you Mobile Phones.
This last note should be especially of concern to African countries, which use Mobile
Money Platforms that are SMS based to send and receive Money all over the
continent.
It also explains why the Librarian of the Library of
Congress, the defender of the DMCA (Digital Millennium Copyright Act) on Saturday 25th January 2013 made it illegal to unlock
your Smartphone and Tablet to place it on another Telecom Provider’s Network as
explained in my blog article entitled
“Librarian
of the Library of Congress makes Smartphone unlocking Illegal - How Jamaica can
benefit from the Safe Haven of MNP by banning unlocking of smartphones and
Tablets”.
Thus calls for the lifting of the Ban on Mobile phone unlocking
by the incoming FCC (Federal Communications commission) Chairman Tom Wheeler to
give people the freedom to unlock their Mobile phones as stated in the article”
FCC’s new chairman wants to end ban on cell phone unlocking”, published
June 18 2013, 4:45pm EST by Jon Brodkin, ARS Technica and “Incoming
FCC Chair Calls For End To Ban On Unlocking Cell Phones”, published
June 19, 2013 By Chris Morran, The Consumerist will no longer carry and
may actually get him in trouble, forcing him to retract his statements.
This imminent hacking threat means that allowing American
citizens this basic right of unlocking their Mobile Phones as they please will
allow them to Hack Telecom Networks using the method described above and thus
disrupts the Telecom Provider Apple Cart.
Theoretically, they can make free Calls and access Free Data,
resulting in Telecom Provider losing Billions of dollars using a vulnerability
that affects 750 million Mobile phones worldwide. FCC Chairman Tom Wheeler is
supposed to protect the interest of the Telecom Providers, not make them lose
money due to a potential hacking threat. How his job goes from here depends on
how he handles this case.
But it’s Dr. Karsten
Nohl’s other declarations
that are cause for concern among Telecom Providers and debutants to the Mobile Money
Banking in Jamaica, quote: “We can remotely install software on a handset that
operates completely independently from your Phone. We can spy on you. We know
your encryption keys for calls. We can read your SMSs. More than just spying,
we can steal data from the SIM card, your Mobile identity, and charge to your
account.” All achieved using off-the-shelf equiptment and a standard PC.
This sound rather familiar….
Back
in March 2010 I did an article on how easy it was to make a skimmer and with
the help of a hidden Camera Clone Debit Cards or Credit Cards, be they stolen
or swiped with a skimmer attached to your person as explained in my blog article
entitled “Debit
Card Cloning and the Cashless Society”.
In
that article I’d mentioned another possibility; this info could be a threat to
the Banking Sector, as it could be used to hack Wireless POS (Point of Sale)
devices and be a future threat to Mobile Banking and then Mobile Money Banking and
the development of the Cashless Society to incorporate the unbanked as stated
in my blog
article entitled “Telecom
Providers and Mobile Banking - Christmas a cum me wah me llama”.
In
both article I’d passed on the recommendation of Dr. Karsten Nohl for Telecom
Providers to upgrade their 64-bit A5/1 Codebooks to 128 bit A5/3 codebook. I even went the extra mile and recommended the
even-harder-to-crack 512 A5/5 codebooks, as computing power and multi-core
Processors will make these old coding schemas obsolete. Most likely the local
Telecom Providers may have ignored this, thinking that to be the problem of
First World countries with easily available computing muscle and Technical
know-how, which many Caribbean Nationals lack access.
In an unrelated incident, Telecom Provider Digicel MINSAT and
DWS Databases had gotten hacked back in 2009 by then 26 year old University of
Technology Computer student Philpott Martin. He then repeated the hack under different
circumstances and was arrested on Saturday January 26th 2013 by the Jamaican Police even as he
awaited his Bail hearing on his earlier crimes as explained in my blog article
entitled “Digicel's Voicemail Problems as their MINSAT and DWS
Databases get hacked by Robin Hood - Upgrade Voicemail to Paid Advertising and
Fiber Optic Backhaul as it's A good Day to Die Hard”.
He also hacked the DPP (Director of Public Prosecutions)
files relating to his case in February 2013 as noted in my blog article
entitled “Mr. Philpott Martin is the DPP and Digicel Hacker - Jamaica
Cybercrimes first Django Unchained makes it clear that Digicel's MINSAT and DWS
are hackable”. There’s more to the
case than meets the eye and in fact may involve a Police cover-up to gain
access to Telecom Provider Digicel MINSAT and DWS Databases. I’m still follow
up on that story.
Interestingly 2010 is the same year as the revelation by Dr. Karsten Nohl of the
vulnerability in the 64-bit A5-1 Codebook, the GOJ (Government of Jamaica)
decided to implement the Cybercrime Act or 2010, the first piece of Cybercrime
legislating as we awoke to a simple fact: First World Problems were now at our
Door and are set to get worse once more Jamaicans had access to information
from the increasingly pervasive Wireless and Wired Internet Networks.
To
this end the Cybercrime Act of 2010 was not only updated to make Hacking have
penalties equivalent to 2nd Degree Murder or Grand Larceny. The
Ministry of Science, Technology Energy and Mining has also drafted Local
Jamaican White Hackers to help assist with the security of GOJ Websites as well
as warn of potential threats to Private and Public Sector entities as noted in
my blog
article entitled “GOJ
amends the CyberCrime Act of 2010, enlists Ethical Hackers in a Cyber Emergency
Response Team - White Hat Hackers are the Q.U.E.E.N Project Janelle Monae and
Erica Badu Style”.
Hopefully
the Telecom Provider, Banking Sector and those interested in Mobile Money
Banking here in Jamaica are now in Meeting with regard to the issue and are
linking with the ITU and the GSMA as to what provisions are they making to
mitigate against this new and dangerous Mobile Hacking technique.
In
essence the Elysium
(2013) that threatens Jamaica’s nascent Mobile Money
Banking and the development of a Cashless Society.
No comments:
Post a Comment