Weak SIM card encryption and confidential information leakage

Release date:
Updated on: 2013-07-26

Affected Systems:
SIM card vendor SIM Cards
Description:
--------------------------------------------------------------------------------
The SIM card is short for the Subscriber Identity Module (Customer Identification Module), also known as a smart card or user identification card. This card must be installed on a GSM digital mobile phone.

Data and Applications in SIM cards can be remotely managed through OTA (Over-the-Air) technology, the carrier can push custom JAVA software to the SIM card in OTA mode for extended usage.

Some SIM card design implementation problems exist. Some SIM cards use the obsolete DES encryption method in 1970s to sign data and applications. In some cases, attackers may obtain response data containing key information, the malicious app with the signature is easily pushed to the SIM card for installation and execution, and more confidential information is obtained to copy the user's SIM card.

<* Source: srlabs

Link: https://srlabs.de/rooting-sim-cards/
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Use a more advanced SIM card.

* Use the SIM card firewall on your mobile phone.

* The carrier filters binary SMS messages based on the source.

Vendor patch:

SIM card manufacturers
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that you keep an eye on the vendor's homepage to obtain the latest version.