Sophos Cloud Optix
Smartcard researcher and cryptography expert Karsten Nohl has featured on Naked Security before.
He’s looked into the cryptographic security of numerous embedded devices in the past, including literally putting a public transport smartcard under the microscope, and figuring out how to subvert GSM security with a MitM (man-in-the-middle) attack.
Now he’s one of several security experts sending out just enough information about their upcoming Black Hat 2013 papers to attract publicity without giving away the secret sauce that they hope will pack the conference room in Las Vegas.
It’s always tricky knowing whether to feed the BlackHat publicity machine by writing up breathlessly that “X has found Y,” when what you really mean is “X claims Y but isn’t minded to explain himself just yet.”
But, as mentioned above, Nohl has a record of lengthy and detailed research projects.
His latest hacking efforts [*] have apparently involved studying nearly 1000 mobile phone SIM cards over a period of two years, so you can argue that he’s entitled to promote his work in advance without telling us all the details.
Nevertheless, Nohl has given away a fair bit to the New York Times and to Forbes.
Both those publications have written up balanced pieces, in my opinion, making the risks apparent while giving us all hope that mobile phone security is not about to implode altogether.
What has Nohl found?
Interestingly, one of the first BlackHat “paper pre-announcement promotions” of 2013 rather cheekily suggested it had uncovered the Android master key, but that turned to be a metaphor for a code verification bypass.
→ The “master key” hack was, admittedly, of a severity that made it like having a master code-signing key, since it allowed you to install your code under someone else’s digital signature. But no cryptographic keys were actually extracted.
Nohl’s hack, on the other hand, really does involve remotely recovering cryptographic key material from your SIM card.
That means he may be able to extract what is effectively a “master key” for your phone or tablet.
With that, he can create a malicious applet (most SIM cards, or Subscriber Identity Modules, include a miniature Java Virtual Machine to run phone-oriented applets written in Java) and digitally sign it so your phone will accept it.
Usually, of course, only your service provider can sign software that ends up on your SIM, since only your service provider and the SIM card know the needed secret key.
So, Nohl may be able to infect your phone with SIM-borne malware.
That’s bad enough, but it seems that Nohl has found a second hole that he can use in conjunction with the first to perform what a penetration tester would call lateral movement on your phone.
In particular, he has found a vulnerability in the Java sandbox of some SIM cards that would allow his malware to access data that is supposed to locked down so it can be used only by one specific applet, such as bill payment software.
So, Nohl may not only be able to infect your device with SIM-borne malware, but also to give that malware root-like, or administrator-level, powers.
How does the attack work?
As far as I can tell, the key-recovery attack relies on cryptographic behaviour that really ought to be uncontroversial.
By sending a special sort of text message, mobile phone operators can quietly and automatically update the software, or firmware, if you prefer, in your SIM card.
These are known as OTA, or over-the-air, updates, and they’re signed using the relevant SIM card’s secret key.
If you don’t know the secret encryption key, you’re sunk, because you won’t be able to sign your update and the device will reject it.
But Nohl found that some devices provide feedback when an update fails, and that these failure messages are digitally signed by the device.
You’re probably thinking that this is a good idea, since it prevents an attacker forging replies that leave your mobile phone provider incorrectly informed about the state of your device.
Indeed, I have little doubt that the implementors of the “send signed failure messages” feature thought the same way.
This assumes, of course, that you can’t go backwards from the digital signature to the secret key used to compute it.
But Nohl seems to have found, at least for some older chips that still use 56-bit DES encryption, that he could reverse his way to the key from a signed message, and that he could provoke a suitably-signed failure message simply by sending a unsuitably-signed update.
I’m guessing that this attack relies not only on 56-bit DES, but also on using the key, and only the key, in computing the signature.
That would allow Nohl to use pre-computed attack charts, known as rainbow tables, to speed up the key recovery dramatically. (He claims to be able to compute the key of a vulnerable SIMs within two minutes.)
Rainbow tables have featured in Nohl’s work before, but they are defeated by properly-implemented digital signatures where a random salt, or nonce (short for number used once), is mixed into the calculation to add diversity.
What happens next?
It sounds as though SIM cards issued recently aren’t vulnerable, if only because they no longer use 56-bit DES.
56 bits is these days considered a woefully inadequate secret key length: you should really have adopted 128-bit keys by now, with 80 bits the shortest you should accept in legacy applications.
In other words, immunising yourself against this particular threat may be as straightforward as replacing your SIM, if you haven’t already done so within the last year or three.
On the other hand, with billions of SIMs already issued, and backwards compatibility making it easy for users to upgrade their phones and tablet handsets without upgrading their SIM cards, this could be a problem for years yet.
We shall have to wait and see!
[*] I consider “hacking” something of a contranym: a word that has alternative, and contradictory, meanings (like cleave, which can mean to cut apart or to hold tight to). Hacking has a pejorative sense when talking about cybercrooks, implying digital break-and-enter; and a positive sense, as here, when it means to dig deep, investigate, understand and learn.
Might be nice to know how to find out if your phone SIM is using 56-bit DES. That's probably beyond the knowledge of most phone users who have it.
I'm not sure how you would tell reliably, except by asking your provider.
I have to chirp in about Jacko's statement. I don't know about my phone. It would have been nice if you people were more specific about how to tell or what to do to fix the problem, if this is the only problem. Maybe a larger Rainbow table would make it possible for 'guessing' a good key?
Jack
It's not your phone, it's the SIM card in your phone.
Received wisdom seems to suggest that recently-issued SIMs (or, at least, a SIM issued today if you were simply to go and replace yours for the sake of it) are effectively immune to this attack, because (however vulnerable their Java sandbox might be) the secret key needed to start the attack can't be recovered this way, because 56-bit DES is not used.
So Mr Nohl's rainbow tables won't work.
For precise answers we shall have to wait until Nohl's paper is out, and the telcos (and the ITU) have responded.
(Nohl does say that he expects a crook trying to repeat his research in order to reproduce his results would take at least six months. So we have time to get new SIMs 🙂
That's why I ended the article as I did…we don't have a precise answer yet!
Since applets require an exit-point, a standard (of sorts) is known to exit JAVA and return to 8051 while still in the sandpit. It’s standard across Intel & ARM based SIMs. I have no desire to hack other peoples SIMs or inflict damage. I would just like to write a modified SIM that outputs a message and allows OTA updates to be blocked.
Of course, now baseband CPUs are showing how weak they are & how they work is not really in the public domain.