Security researcher Karsten Nohl has shown that if you send some mobile phones an SMS that appears to originate with the phone company, the phone will SMS back an error message containing sensitive info about its SIM. With this info, you can send another SMS that terminally compromises the phone, giving the attacker the ability to listen in on calls, read texts, and impersonate the phone's owner. He disclosed the vulnerability to the GSM association early, and on August 1 he'll present his work at Black Hat in Las Vegas. At the root of the problem is a reliance on an older, compromised form of crypto, DES:
For each message, the network and the phone verify their identities by comparing digital signatures. The message sent by Mr. Nohl deliberately used a false signature for the network. In three-quarters of messages sent to mobile phones using D.E.S. encryption, the handset recognized the false signature and ended communication.
But in a quarter of cases, the phone broke off the communication and sent an error message back to Mr. Nohl that included its own encrypted digital signature. The communication provided Mr. Nohl with enough information to derive the SIM card’s digital key.
Mr. Nohl said he had advised the GSM Association and chip makers to use better filtering technology to block the kind of messages he had sent. He also advised operators to phase out SIM cards using D.E.S. encryption in favor of newer standards. He added that consumers using SIM cards more than three years old should get new cards from their carriers.
Encryption Flaw Makes Phones Possible Accomplices in Theft
(Image: MTN SIM card, a Creative Commons Attribution Share-Alike (2.0) image from warrenski's photostream)
This smallish portable USB charger from Kmashi is rated at 5000mAh and is on sale now for $8.38 when you use promo code: PIRVWBWG on Amazon. I have a few different Kmashi chargers, and have used them for over a year with good results.
The flashlights in our household have a tendency to wander off. Where do they go? I gave my last remaining one to my daughter for a camping trip, so I just reordered an 8-pack of metal LED flashlights for $14. Each flashlight has 9 LEDs and uses 3 AAA cells (included, though some reviewers on […]
Unlike a multimeter, this battery tester isn’t battery powered. Instead, it measures the voltage across the terminals of 9V, AA, AAA, C, D and 1.5V button type batteries. It’s also easier to use than multimeter probes. It’s only $6.61 on Amazon and has a 4.5 star rating with over 1500 reviews.
You won’t need to think twice about going hands-free on the road with Exomount’s easy-to-use car mount. It mounts your smartphone so easily, you literally only need one hand to quickly secure your phone in the perfect position and get driving. Don’t risk a ticket, use the world’s best suction technology to effortlessly mount and […]
It’s time for a power upgrade — throw out that tired-out power strip and swap in this family-size USB charger, packed with 6 high-speed ports. With a built-in control chip, Kinkoo optimizes each port to ensure the fastest charging possible for all your devices. The Kinkoo is made from high-grade and durable materials so you […]
Watching Netflix, Hulu or other streaming services can unfortunately be difficult while traveling outside the US. Rather than bypass these restrictions with the help of a complex and slow VPN, choose a faster and simpler solution with Getflix. Instead of rerouting all your Internet traffic through a different server, this handy service only routes the […]