When you install Java on a Windows box, it brags that it runs on 3 billion devices. It’s not joking. A fair chunk of those 3 billion devices are the SIM cards that register your cell phone on its network. And those SIM cards frequently are woefully insecure. The mid-90s called, and they want their crypto back.
Via a text message you’ll never see, it’s possible to hack the 56-bit DES encryption used by many cards, or the triple-DES-in-name-only crypto used in others–repeating wimpy 56-bit crypto with the same key three times doesn’t make it any less wimpy–then send the cards a malicious Java applet, which busts out of the security on the ancient version of Java on your card, and ride this cascade of security flaws to do lots of nasty things like listen in on phone calls and intercept text messages.
Even if half of Americans don’t seem to mind the NSA listening to their phone calls, I’m pretty sure a majority of Americans don’t want the Russian Mafia listening to them.
When I first heard about this, I heard that if your SIM card was more than a couple of years old, you ought to get a new one. But some of the new ones aren’t really all that great themselves, using that fake-out triple-DES instead of true triple-DES encryption. DES, if you’re wondering, is a once-common encryption standard that went obsolete in 1999, about two years before its logical successor was ready to go. DESing data twice turned out to be no better than doing it once, but DESing it three times yielded acceptably strong security, so “triple DES” became a common encryption scheme. Although theoretically weaker than AES, triple DES is acceptably secure if you do it right.
The only good news in this is that many of the providers are taking it seriously, and, lacking any other way to update the SIM cards, they’re using the very same exploit to hack into their own cards and install updates. It’s better for the good guys to hack the device and close the door before the bad guys can do it.
This is a novel approach. I expect it to become more and more commonplace, because there’s a lot of embedded computing with lousy security out there. If router manufacturers will start taking the same approach to patching their craptastic devices, then the world might eventually become a better place.
Then we’ll have reason to party like it’s 1999. When our phones party like it’s 1999, that’s not so good. Sorry, I had to go there.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.