Security researcher Karsten Nohl has shown that if you send some mobile phones an SMS that appears to originate with the phone company, the phone will SMS back an error message containing sensitive info about its SIM. With this info, you can send another SMS that terminally compromises the phone, giving the attacker the ability to listen in on calls, read texts, and impersonate the phone's owner. He disclosed the vulnerability to the GSM association early, and on August 1 he'll present his work at Black Hat in Las Vegas. At the root of the problem is a reliance on an older, compromised form of crypto, DES:
For each message, the network and the phone verify their identities by comparing digital signatures. The message sent by Mr. Nohl deliberately used a false signature for the network. In three-quarters of messages sent to mobile phones using D.E.S. encryption, the handset recognized the false signature and ended communication.
But in a quarter of cases, the phone broke off the communication and sent an error message back to Mr. Nohl that included its own encrypted digital signature. The communication provided Mr. Nohl with enough information to derive the SIM card’s digital key.
Mr. Nohl said he had advised the GSM Association and chip makers to use better filtering technology to block the kind of messages he had sent. He also advised operators to phase out SIM cards using D.E.S. encryption in favor of newer standards. He added that consumers using SIM cards more than three years old should get new cards from their carriers.
Encryption Flaw Makes Phones Possible Accomplices in Theft
(Image: MTN SIM card, a Creative Commons Attribution Share-Alike (2.0) image from warrenski's photostream)
Zippo went a bit crazy with its lighter colors, introducing a rainbow of material-science wonders that, alas, I have no more use for, being a 15-year ex-smoker with the muscle-memory of an entire repertoire of obsolete Zippo tricks.
Brew Cutlery raised over $20K on Kickstarter to make these handsome, heavy (150g) utensils with integrated bottle-openers in their handles; the backers who got the early sets are effusive in their praise of the look, materials (18/8 stainless steel) and craftsmanship (each piece is hand-finished). Not cheap, though: $50/set.
Brian Mix shows off his replica Jupiter 2 computer, a remake based on the 1960s TV Lost in Space show — which was also used as the 1966 Bat Computer in the Batman TV show.
To be a Pokémon master, you’ll need a phone that won’t constantly die on you. Because nothing is worse than seeing the screen go black right as you’ve finally found the Charizard of your dreams.That’s why we’re so excited about the LinearFlux PokeCharger Portable Battery ($39.99). With its 3.0 Amp HyperCharging technology, this slim battery will […]
The tech industry is constantly innovating, and in order to stay competitive, you’ll need to keep up. The Programming Into the Future Bundle was created to teach you the skills employers are looking for at this very moment, including in-demand coding languages like Google Go.The bundle of courses includes instruction on a range of innovative tools that advanced coders […]
If you’re running low on MacBook storage, your options are pretty limited. External hard drives mean toting around another piece of bulky equipment, and you probably don’t want a USB stick constantly protruding from your laptop.That’s why the Nifty MiniDrive for MacBooks is such a desirable alternative, and one of our top tech finds this year. You can add […]