In February 2015, Edward Snowden revealed that the NSA and GCHQ had hacked one of the largest SIM card manufacturers world to clone cards and break encryption. But a presentation at Black Hat shows that not all of this really was needed.
Ο Yu Yu (yes, this is my real name, joked the researcher) is a professor of research at Shanghai Jiao Tong University. The researcher has gone through the past few years trying to learn how he can break the encryption codes on 3G and 4G cards.
These cards use AES-128, μια κρυπτογράφηση που υποτίθεται ότι είναι αδιαπέραστη από attacks brute force. But as it turns out it's easy to crack using channel analysis.
Side-channel attacks measure and analyze data such as power consumption, electromagnetic emissions, and heat generation. By analyzing these data the researcher can learn what exactly is happening on a chip.
The technique has existed for years, and requires physical access to the target machine.
Yu and his team used an oscilloscope to monitor power levels, a MP300-SC2 protocol for data traffic monitoring, a self-built SIM card reader, and a standard PC to match the results.
With the above they managed to break eight commercial SIM cards in 80 minutes.
The system could of course not read the encryption key directly from the cards. Instead, the research team isolated 256 sections of the key and sent them to those shown by the action of the SIM card.
This of course requires calculations and a little luck. But as soon as the system was fine-tuned it was much easier to break the encryption keys and clone the card.
Yu proved that cloned SIM cards can successfully imitate the original ones. It also showed how a cloned card could change the code access to the Alipay service (one of China's largest 3rd party payment system) and possibly empty the account.
The hack demonstrated the need for more security for mobile phone users, Yu said.
Given its speed and convenience infringements intelligence agencies will be very interested in Yu's technique.
