If You Buy A Sim Card On The Street... You Can Hack It!

[TheCorinthian]

(a public service message)

 

No kidding. SSD, Micro, thumb, just about any flash memory drive, can be gotten into.

 

All flash memory utilizes a small CPU on the device (like the card in your phone) to run it. That chip can be hacked in fun and dangerous ways. We can spoof data use, and even copy data to be sent out at other times.

 

The most useful way to exploit this would be to make hundreds of them (take about a day) and then just offer them for sale cheep and see what they report in after someone buys them.

 

I only bring it up because we are seeing an ASTOUNDING rise in this in Asia.

 

TC

[ALHOLK]

(a public service message)

 

No kidding. SSD, Micro, thumb, just about any flash memory drive, can be gotten into.

 

All flash memory utilizes a small CPU on the device (like the card in your phone) to run it. That chip can be hacked in fun and dangerous ways. We can spoof data use, and even copy data to be sent out at other times.

 

The most useful way to exploit this would be to make hundreds of them (take about a day) and then just offer them for sale cheep and see what they report in after someone buys them.

 

I only bring it up because we are seeing an ASTOUNDING rise in this in Asia.

 

Both NAND (most flash memories today) and NOR memories are transistor equivalent logic circuits without any compute power whatsoever. Therefore it is impossible for a Flash memory to execute any code. SIM cards can be hacked but they themselves can not execute anything. With the right equipment they can be copied and the content changed but they themselves can never cause any trouble.

[Mekong]

To the best of my knowledge this "Hack" only applies to the older data encryption standard (DES) SIM Cards and not the newer Triple DES ones.

[ALHOLK]

What you are talking about I beleive is code cracking. As far as I know triple DES has never been cracked so there you are right. The DES algorithm on the other hand has, but it stil requires a significant computational power. Triple DES is basically 3 consecutve encryptions with a DES algorithm so both are public key algorithms. As a SIM card is basically just another memory card that isn't formated as e.g. a SD card it shouldn't be dfficult to copy the content but changing it would require much more. This said, I am reasonably sure it can be done even if it has been done yet.

 

As a side note DES stands for "Digital Encryption Standard" and developed by IBM in the 1970s. With todays compute power it iisn't considered secure and was superseeded by triple DES wich in it's turn has been reeplaced with AES.

 

When I worked with the GSM system the mobile units were said to be impossible to hack but it was still done due internal leaks in the company.

[Mekong]

Alholk,

 

Thanks for your input, I was always led to believe that Digital Encryption Standard was the IBM 70's standard to which you refer to but for the past 15-20 years the acronym refers to Data Encryption Standard, but I won't argue with you since obviously this is you are a specialist within the field and I accept your superior knowledge of such.

 

Again, in my "Lay mans" mindset DES probably is still used on Pay as you Go SIM cards so there is a slight risk of Harvesting Contacts, eavesdropping on phone calls, intercepting SMS etc as TheC made the point of in his OP. The day when triple DES will be hacked, IMHO it is not IF but WHEN, then your average user would be allowing oneself open to some serious data harvesting, not only via using online accounts via 3G but also as Near Field Communication (NFC) is utilised more and more for financial transactions.

 

For the record, I would not claim TheC was a friend of mine, far from it, but as two engineers from opposite sides of the Atlantic who's fields of work happen to overlap at the edges I not only respect his opinion but also concur with such. I offer you the same compliment, obviously an experienced engineer who "knows his shit" and I enjoy brainstorming / idea exchange discussions such as this, as abstract as they may seem.

 

Wishing both yourself and TheC a prosperous 2014.

 

Cheers

Kong

[Specialist]

As far as I know triple DES has never been cracked so there you are right. The DES algorithm on the other hand has, but it stil requires a significant computational power. Triple DES is basically 3 consecutve encryptions with a DES algorithm so both are public key algorithms.

Full Disclosure: In the late 1970s, I was working a university project that used a hardware DES cryptographic unit.

 

A public key system has two keys per user, the public encryption key, and a private decryption key. The user chooses his private key, and part of the algorithm generates the public key, which is distributed to the world The trick is that it is generally easy to generate the public key from the private key, but it is for all practical purposes impossible to generate the private key from the public key.

 

DES and Triple DES use the *SAME* key for encryption and decryption. As such, they are most certainly NOT public key encryption algorithms.

[TheCorinthian]

Not quite.

 

Every SSD you own has a small microprocessor installed on it that runs the drive. It is continually running many complex algorithms that keep the drive operational because use use of flash kills the drive a little bit at a time.

 

You can hack that to do... different things. Here is a photo of an opened SSD drive showing the ARM7 on the upper left.

 

[ALHOLK]

Full Disclosure: In the late 1970s, I was working a university project that used a hardware DES cryptographic unit.

 

A public key system has two keys per user, the public encryption key, and a private decryption key. The user chooses his private key, and part of the algorithm generates the public key, which is distributed to the world The trick is that it is generally easy to generate the public key from the private key, but it is for all practical purposes impossible to generate the private key from the public key.

 

DES and Triple DES use the *SAME* key for encryption and decryption. As such, they are most certainly NOT public key encryption algorithms.

 

I stand corrected. I looked it up and DES is apparently not a public key algorithm. I have never worked with encryption but have worked as a software engineer for quite a few years (now retired).

 

ALHOLK

 

P.S. I know what a public key algorithm is, I read about them in the late 80s when I beleive they were developed.

[ALHOLK]

Not quite.

 

Every SSD you own has a small microprocessor installed on it that runs the drive. It is continually running many complex algorithms that keep the drive operational because use use of flash kills the drive a little bit at a time.

 

You can hack that to do... different things. Here is a photo of an opened SSD drive showing the ARM7 on the upper left.

 

Any given memory device has a controler circuit. In many cases it is cheaper to use a microprocessor/microcontroller than developing a new one. E.g. An 8 bit AVR costs in Sweden 1-2 USD while developing an ASIC costs much more.

Often the controler code is burned into a ROM which can be read but not changed. I still maintain that memory circuits can't be used run malevolent cide. They can only be used to store code which is executed on the computer they are attached to.

[TheCorinthian]

Any given memory device has a controler circuit. In many cases it is cheaper to use a microprocessor/microcontroller than developing a new one. E.g. An 8 bit AVR costs in Sweden 1-2 USD while developing an ASIC costs much more.

Often the controler code is burned into a ROM which can be read but not changed. I still maintain that memory circuits can't be used run malevolent cide. They can only be used to store code which is executed on the computer they are attached to.

 

Of course they can. In fact, you can go and download for free a program that will allow you to give commands to the ARM (free). (It's called the man in the middle hack.) The cpu reports to the device things like the size of the memory. So, for example, you could easily tell the card to read 3gb when the actual size is 6gb. Thus leaving the 6gb for whatever other work you want the card to do. Load your code there to be run in the background doing what you want. All via the internal cpu.

 

This in fact is what a lot of companies do with defective runs. Example: lets say your fab is making 20gb SSDs. But the process is not exact so you end up with 50% bad cells. Simple to fix, you tell the ARM7 or the 8051 to just report the card as 10gb and that is what you sell it as.