When you install Java on a Windows box, it brags that it runs on 3 billion devices. It’s not joking. A fair chunk of those 3 billion devices are the SIM cards that register your cell phone on its network. And those SIM cards frequently are woefully insecure. The mid-90s called, and they want their crypto back.
Via a text message you’ll never see, it’s possible to hack the 56-bit DES encryption used by many cards, or the triple-DES-in-name-only crypto used in others–repeating wimpy 56-bit crypto with the same key three times doesn’t make it any less wimpy–then send the cards a malicious Java applet, which busts out of the security on the ancient version of Java on your card, and ride this cascade of security flaws to do lots of nasty things like listen in on phone calls and intercept text messages.
Even if half of Americans don’t seem to mind the NSA listening to their phone calls, I’m pretty sure a majority of Americans don’t want the Russian Mafia listening to them. Read more
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.