In February 2015, Edward Snowden revealed that the NSA and GCHQ had hacked into one of the world's largest SIM card manufacturers to clone cards and break encryption. But a presentation at Black Hat shows that it was not all that really needed.
Ο Yu Yu (yes, that's my real name, the researcher joked) is a research professor at Shanghai Jiao Tong University. The researcher has spent the last few years trying to find out how break the encryption codes on the 3G and 4G cards.
These cards use AES-128, an encryption that is supposed to be impenetrable by brute force attacks. As it turns out, however, it is easy to break using channel analysis.
Side-channel attacks measure and analyze data such as power consumption, electromagnetic emissions, and heat generation. By analyzing these data the researcher can learn what exactly is happening on a chip.
Η technique υπάρχει εδώ και χρόνια, και απαιτεί φυσική πρόσβαση στο machine- Target.
Yu and his team used an oscilloscope to monitor power levels, an MP300-SC2 protocol analyzer to monitoring of data traffic, a homemade SIM card reader, and a standard PC to correlate the results.
With the above they managed to break eight commercial SIM cards in 80 minutes.
The system could of course not read the encryption key directly from the cards. Instead, the research team isolated 256 sections of the key and sent them to those shown by the action of the SIM card.
This of course requires calculations and a little luck. But as soon as the system was fine-tuned it was much easier to break the encryption keys and clone the card.
Yu has proved that cloned SIM cards can successfully imitate authentic ones. It also showed how a cloned card could change the Alipay service password (one of China's largest 3rd party payment system) and eventually empty the account.
The hack demonstrated the need for more security for mobile phone users, Yu said.
Given the speed and ease of the violation, intelligence services will be very interested in Yu's technique.