Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(C|Net)   SIM card vulnerability puts up to 750 million mobile phones worldwide at risk. Yes, we can all hear you now   (news.cnet.com) divider line 37
    More: Scary, smart cards, SIM, security researchers, SIM cards, network operator, aircraft hijacking, handsets  
•       •       •

3275 clicks; posted to Geek » on 21 Jul 2013 at 6:23 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



37 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2013-07-21 03:18:09 PM  
Alright. This is ridiculous.

Which one of you assholes blew this 0-day?
 
2013-07-21 03:29:46 PM  
Because 40 year old tech should be used in every phone! Did anyone even bother to look at the work before implementing it?
 
2013-07-21 03:41:04 PM  
Just like the NSA
 
2013-07-21 03:59:47 PM  
Or to put it another way, SIMsh*tty?
 
ZAZ [TotalFark]
2013-07-21 04:12:29 PM  
From another article: Nohl noticed that when he attempted to send certain incorrect OTA commands, he would receive an error message that also contained the unique encryption code belonging to that phone - its virtual key. The code was easily decrypted - Nohl says the process takes him one minute. With the phone now at his disposal, he could command it to do anything from his own computer, without the user ever suspecting anything was amiss.

I don't understand what sort of leaked key is not cleartext but can be decrypted in a minute.

NYT adds: But in a quarter of cases, the phone broke off the communication and sent an error message back to Mr. Nohl that included its own encrypted digital signature. The communication provided Mr. Nohl with enough information to derive the SIM card's digital key.
 
2013-07-21 05:00:50 PM  
*gently pets cdma phone; cackles maniacally*
 
2013-07-21 05:08:32 PM  

ZAZ: I don't understand what sort of leaked key is not cleartext but can be decrypted in a minute.


There are lots of dumb homegrown "encryption" mechanisms.  Some people think an MD5 hash is encryption.  Imagine the key is encrypted with DES56 and a random key from a keyspace smaller than 56 bits.   People who don't know encryption well do dumb things.
 
2013-07-21 06:19:29 PM  

gameshowhost: *gently pets cdma phone; cackles maniacally*


*gently pats scanner, grins at the thought of intercepting late night cell phone talks*
 
2013-07-21 06:23:24 PM  

hardinparamedic: gameshowhost: *gently pets cdma phone; cackles maniacally*

*gently pats scanner, grins at the thought of intercepting late night cell phone talks*


*gently pats laptop with El Cheapo DVT-B tuner, grins at the thought of intercepting late night SMS messages when bored with intercepting late night cell phone talks*
 
2013-07-21 06:25:56 PM  
At risk of what?
As if any of you will ever say anything of interest or or note to ... anyone?
 
2013-07-21 06:29:57 PM  

hardinparamedic: gameshowhost: *gently pets cdma phone; cackles maniacally*

*gently pats scanner, grins at the thought of intercepting late night cell phone talks*


*speaks in reverse pig latin*
 
2013-07-21 06:31:18 PM  

gameshowhost: hardinparamedic: gameshowhost: *gently pets cdma phone; cackles maniacally*

*gently pats scanner, grins at the thought of intercepting late night cell phone talks*

*speaks in reverse pig latin*

cdn.smosh.com
 
2013-07-21 06:33:52 PM  
"Hey bay be, whatcha doin'?"
"Oh nuthin'. Just hanging out with Mandy and sis."
"Aw. Uh kay."
"Uh huh."
"Uh kay, then bay be."
"All rieht."

Imagine it. Terra bytes of this crap. Every day. All the time.
 
2013-07-21 06:49:50 PM  

HotIgneous Intruder: "Hey bay be, whatcha doin'?"
"Oh nuthin'. Just hanging out with Mandy and sis."
"Aw. Uh kay."
"Uh huh."
"Uh kay, then bay be."
"All rieht."

Imagine it. Terra bytes of this crap. Every day. All the time.


After graduating high school one of my friends came back from a vo-tech with a scanner that could listen in on cordless phones (might have even been before 900Mhz, whatever that was). We got all excited about this and tooled around town with it, going so far as to have an antenna of some kind we could point at houses as we went.

I guess maybe we thought everyone has phone sex all the time? Think we were even getting only one side of the conversation too, it was pointless.
 
2013-07-21 07:21:30 PM  
Another "the sky is falling" scenario where they first have to install software? Yawn.
 
2013-07-21 07:25:27 PM  
No, biatch, you'll take cash AND make change.

/count different.
 
2013-07-21 07:35:31 PM  
I suppose this is not related to Rogers wireless and people on the other side of the world spoofing a Rogers number to make lots of money with 'roaming text messaging'.
https://secure.dslreports.com/forum/r28462022-Is-Rogers-running-some- s ort-of-scam

/Rogers motto: fark you all and thanks for the easy cash you stupid idiots.
 
2013-07-21 08:23:59 PM  
Yet another reason I like Sprint. I have no SIM card.
 
2013-07-21 08:33:00 PM  
Let those who are without SIM cast the first stone....
 
2013-07-21 08:35:12 PM  
Not worried about this.

/never owned ANY cellphone
 
2013-07-21 08:45:53 PM  
what's he selling?
 
2013-07-21 09:06:25 PM  
The slogan in question is from a company that doesn't use SIM cards.
 
2013-07-21 09:19:28 PM  

jayhawk88: HotIgneous Intruder: "Hey bay be, whatcha doin'?"
"Oh nuthin'. Just hanging out with Mandy and sis."
"Aw. Uh kay."
"Uh huh."
"Uh kay, then bay be."
"All rieht."

Imagine it. Terra bytes of this crap. Every day. All the time.

After graduating high school one of my friends came back from a vo-tech with a scanner that could listen in on cordless phones (might have even been before 900Mhz, whatever that was). We got all excited about this and tooled around town with it, going so far as to have an antenna of some kind we could point at houses as we went.

I guess maybe we thought everyone has phone sex all the time? Think we were even getting only one side of the conversation too, it was pointless.


Did this a few times with a scanner that would pick up old cordless phones. Typically the same scenario, boring one side of a conversation. All until the random "So, are you still going to fark me up the ass hard when you get home?" said in such a plainly matter of fact tone one day.
 
2013-07-21 09:43:40 PM  

Tophersky: Yet another reason I like Sprint. I have no SIM card.


Or a fast and reliable 3G network.
 
2013-07-21 09:48:05 PM  
24.media.tumblr.com 
What if the vulnerability is not a vulnerability, but instead an unlisted feature that was put there on purpose?
 
2013-07-21 09:57:29 PM  

styckx: Tophersky: Yet another reason I like Sprint. I have no SIM card.

Or a fast and reliable 3G network.


Hey now, they try.

Not very hard, but that's not the point.

/will be going back to Verizon
//because who'd want a Nokia WinPhone on Sprint?
 
2013-07-21 10:09:55 PM  

hardinparamedic: gameshowhost: hardinparamedic: gameshowhost: *gently pets cdma phone; cackles maniacally*

*gently pats scanner, grins at the thought of intercepting late night cell phone talks*

*speaks in reverse pig latin*
[cdn.smosh.com image 500x308]


It's amazing how many people thought that was real.
 
2013-07-21 10:29:03 PM  

Tophersky: Yet another reason I like Sprint. I have no SIM card.


I didn't realize SIMs were still a thing
Tmyk.jpg
 
2013-07-21 10:30:41 PM  

Tourney3p0: The slogan in question is from a company that doesn't use SIM cards.


You say that...

cdn.androidcommunity.com

Technically it's only for data right now, but I'm guessing once LTE voice starts rolling out it will be used for a bit more.
 
2013-07-21 10:55:50 PM  

Marine1: styckx: Tophersky: Yet another reason I like Sprint. I have no SIM card.

Or a fast and reliable 3G network.

Hey now, they try.

Not very hard, but that's not the point.

/will be going back to Verizon
//because who'd want a Nokia WinPhone on Sprint?


I stayed with Sprint for 2 years then went to T-Mobile. Truly unlimited data like Sprint w/ incredible speeds. Love it..
 
2013-07-22 12:22:16 AM  
i.imgur.com
 
2013-07-22 12:23:33 AM  

Tophersky: Yet another reason I like Sprint. I have no SIM card.


You do if your phone is a 4G LTE phone on Sprint. All CDMA providers, ie Sprint and Verizon when moving to 4G LTE moved to Sim cards for an authentication point for the network. Which is nice because you can toss the sim card around from device to device with out having to go through old school CDMA programming but it means that it could possibly be hit with this hack.
 
2013-07-22 01:21:03 AM  
TFA: The vulnerability was found in the Digital Encryption Standard, a cryptographic method developed by IBM in the 1970s that is used on about 3 billion cell phones every day.

Seriously?

i158.photobucket.com

This thing has been out since the late 90s and people are *STILL* using DES for things?
 
2013-07-22 02:53:04 AM  

TheGhostofFarkPast: Tophersky: Yet another reason I like Sprint. I have no SIM card.

You do if your phone is a 4G LTE phone on Sprint. All CDMA providers, ie Sprint and Verizon when moving to 4G LTE moved to Sim cards for an authentication point for the network. Which is nice because you can toss the sim card around from device to device with out having to go through old school CDMA programming but it means that it could possibly be hit with this hack.


Not necessarily--there are CDMA/LTE phones (which are specific versions of phones for Sprint) that do not have removable or even user-accessible SIM cards.  For the Sprint version of the Samsung GS3, for instance, there is no external SIM but rather the "SIM" is an RUIM chip integral to the phone's mainboard; there is apparently ongoing work to add SIM capability to the Sprint GS3 but it is nowhere near a successful project yet.  (The Sprint version of the Galaxy Note 2 is also likewise SIMless, using a RUIM chip; reportedly people HAVE hacked it to use the SIM slot available in the Verizon model, at the expense of LTE functionality.)  The Verizon versions of the GS3 and Note 2 do have SIM card slots, as do phones on reseller providers for prepaid service that use Verizon's network, but the same is not true for the major CDMA competitor.

(As an aside--despite not having an external SIM, it IS in fact possible to flash a Sprint GS3 to another provider--this requires some highly specialised tools and (particularly with conversions to Verizon) a donor phone with a working MEID, but it is possible even without an external SIM.  The best luck so far has been with regional providers like US Cellular and MetroPCS, but there has apparently been some luck in converting Sprint GS3s to work with Verizon prepaid plans.)

Also, it should be noted that the vulnerability mostly affects older SIM cards and not the newest ones (so there's actually a good shot that CDMA-based devices in the US that use SIM cards may not be vulnerable, due to using a newer standard of SIM).
 
2013-07-22 05:23:27 AM  
How convenient.
 
2013-07-22 09:46:46 AM  

andrewagill: Seriously?

This thing has been out since the late 90s and people are *STILL* using DES for things?


That chip only had 3/4 of the sections working.  That ended up doubling its processing time.

The big problem with cracking DES (and 3DES) is the you have to figure out if the key you just tried resulted in useful data.  GPUs are getting good enough to do that at very high speeds.  There have been some published attacks where the inner processes of DES can be unfolded using huge arrays that were impossible when Deep Crack was built.
 
2013-07-22 10:08:29 AM  

andrewagill: TFA: The vulnerability was found in the Digital Encryption Standard, a cryptographic method developed by IBM in the 1970s that is used on about 3 billion cell phones every day.

Seriously?

[i158.photobucket.com image 488x480]

This thing has been out since the late 90s and people are *STILL* using DES for things?


What a deep crack may or may not look like (possibly NSFW)
 
Displayed 37 of 37 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report