SIM cards show severe vulnerability

A vulnerability in SIM cards is intended to allow device-specific data to be collected, conversations to be listened to, or other malware to be injected under certain conditions. The SIM card could also be deactivated remotely. This is what the security company AdaptiveMobile wants to find out.

The vulnerability is believed to exist in the software component of SIM cards, the SIM Alliance Toolbox (S@T Toolkit). This is used by mobile operators, for example, to transmit settings for SIM cards. This feature is currently used by attackers to send control codes via SMS to the Spying SIM card. In turn, the user also transmits the requested information by SMS to a mobile number specified by the attacker, unnoticed by a user.

The security researchers who uncovered the vulnerability estimate that a comparatively small number of SIM cards worldwide would be monitored in this way, especially by a private security company.

The S@T toolkit is not enabled in all SIM cards, but approximately one billion SIM cards are affected worldwide. In the meantime, it has been announced that the S-T toolkit is not activated on SIM cards of vodafone Germany. For example, The SIM cards vary depending on the version and manufacturer.

Vulnerabilities in SIM cards, such as encryption, were revealed as early as 2013. SIM cards have a number of functions and information, such as authentication keys. As more and more use cases and mechanisms are based on the presence of smartphones, the vulnerability identified is serious. It could be used to spy on communications and authentication mechanisms. This would also make multi-factor authentication equally potentially insecure.




David Bouck-Standen (M.Sc.)
Sen. IT-Consultant, NetAlive Ltd

It is only on 14 September that electronic banking is changing within the EU with the Second European Payment Services Directive (PSD2). TAN procedures and login are particularly affected. But what are the benefits of procedures in which the ownership factor is connected twice (to the same device) - namely, both for authentication and for transmitting transaction confirmation? Even the use of an app does not increase security in such a case.

Add comment