Over the weekend some news broke about an exploit that affects millions of phone users. Apparently, the encryption used has a flaw that allows a hacker to clone the encryption credentials of a SIM (Subscriber Identity Module) card, potentially allowing them to clone your SIM card and retrieve things like information about your plan and payments, or identify you on the network.
It sounds scary, and it is for the 500 million affected SIM cards in the wild. But like any good security scare worth it's salt, there's a lot more to the story than we're hearing. Click through and we'll talk about it a bit.
Source: Security Research Labs
How it works
An attacker can send a command that looks a lot like the command your carrier sends to let your phone know there is an over-the-air update ready. This command is invalid, because the attacker doesn't have the correct encryption key. Your phone will then send back an error message that is signed with the correct encryption key. Once the potential hacker has the correct signing key, they can use some software to brute-force crack the key and have a copy of their own. Using this valid key, a new message can be sent about an OTA, which your phone will download because the key is valid. This OTA can be an application that retrieves all your SIM card data, allowing the attacker to clone it.
With this cloned copy of your SIM, they can then authenticate themselves as you on the carrier network. Sounds frightening, right?
What we don't know
There is one big ugly problem with all of this. The encryption method that can be broken, DES-56, was originally cracked in 1998 by the EFF. By now, nobody should be using a known broken encryption method. Of the seven billion plus SIM cards in existence, approximately 500 million are affected.
500 million of anything is a lot, but compared to 7 billion (with a b) it's a small portion. The reports about this flaw all leave out the most vital information -- who, exactly, can be affected by this exploit?
The folks who re-discovered the DES-56 crack, led by Karsten Nohl, chief scientist at Security Research Labs in Berlin, are giving a big speech about the exploit at the Black Hat conference in Vegas at the end of July. Until then, we don't really have the details. We'll let you know more when someone decides to let us know.
In the meantime, put the tin foil away. We'll know all the details in about a week.
We may earn a commission for purchases using our links. Learn more.
One of the best Windows laptops is $550 right now — and stock is limited
Buying a laptop isn't an easy decision, but it's one that's slightly easier on weeks like this — on Black Friday. The Dell XPS 13 2-in-1 has been heralded as one of the best laptops on the market by practically every site that ranks these kinds of things, ourselves included, and there's a brand new reason to pick it up. Today only, the XPS 13 2-in-1 with Intel 10th Gen CPUs are up to $...
Why it’s worth spending more on faster SD cards on Black Friday
To make the most of any camera, whether it be the one on your phone or one in a security cam or even a drone, you'll want to buy a fast SD card. Here's why.
Cards against Humanity and Exploding Kittens on sale for Black Friday
Some of the best card games and board games are on sale today for Black Friday. If you don't have them already, you should definitely check out Cards Against Humanity and Exploding Kittens.
These are the best cases for your brand new Pixel 4a 5G!
The Pixel 4a 5G looks boring in Just Black, but we can fix that! These cases are fun, fashionable, functional, and ready to carry your Pixel 4a 5G into the future.