Over the weekend some news broke about an exploit that affects millions of phone users. Apparently, the encryption used has a flaw that allows a hacker to clone the encryption credentials of a SIM (Subscriber Identity Module) card, potentially allowing them to clone your SIM card and retrieve things like information about your plan and payments, or identify you on the network.
It sounds scary, and it is for the 500 million affected SIM cards in the wild. But like any good security scare worth it's salt, there's a lot more to the story than we're hearing. Click through and we'll talk about it a bit.
Source: Security Research Labs
How it works
An attacker can send a command that looks a lot like the command your carrier sends to let your phone know there is an over-the-air update ready. This command is invalid, because the attacker doesn't have the correct encryption key. Your phone will then send back an error message that is signed with the correct encryption key. Once the potential hacker has the correct signing key, they can use some software to brute-force crack the key and have a copy of their own. Using this valid key, a new message can be sent about an OTA, which your phone will download because the key is valid. This OTA can be an application that retrieves all your SIM card data, allowing the attacker to clone it.
With this cloned copy of your SIM, they can then authenticate themselves as you on the carrier network. Sounds frightening, right?
What we don't know
There is one big ugly problem with all of this. The encryption method that can be broken, DES-56, was originally cracked in 1998 by the EFF. By now, nobody should be using a known broken encryption method. Of the seven billion plus SIM cards in existence, approximately 500 million are affected.
500 million of anything is a lot, but compared to 7 billion (with a b) it's a small portion. The reports about this flaw all leave out the most vital information -- who, exactly, can be affected by this exploit?
The folks who re-discovered the DES-56 crack, led by Karsten Nohl, chief scientist at Security Research Labs in Berlin, are giving a big speech about the exploit at the Black Hat conference in Vegas at the end of July. Until then, we don't really have the details. We'll let you know more when someone decides to let us know.
In the meantime, put the tin foil away. We'll know all the details in about a week.
We may earn a commission for purchases using our links. Learn more.
Foldables are finally good enough to actually spend money on
Foldable phones have come a long way in 18 months, and now with the Galaxy Z Fold 2, we have no major flaws, no shortchanged specs and no hurdles still to overcome. Now is the tipping point when foldables start to actually become worthy of your wallet.
Want an Oculus Quest 2? Here's where to buy one!
The Oculus Quest 2 was announced at Facebook Connect 2020. Here's how to preorder the hottest new wireless VR system around!
Fitness apps and wearables are great, as long as you aren't in a wheelchair
Plenty of people with mobility issues want to buy fitness-based wearables, myself included. Right now they shouldn't because it seems like no company wants their money bad enough to work for it.
The best replacement bands for your 46mm Galaxy Watch
The strap included with the Galaxy Watch is fine, but these offer much more customization. Not only do these straps offer you the chance to change up the style of your watch, but you also get materials that bring added durability for a strap that can take what you throw at it.