Report: Massive SIM card hack does not affect most U.S. phone owners

Sim Cards

Earlier this week, Karsten Nohl, a security researcher at SR Labs, revealed his discovery of a massive hole in SIM card encryption that could leave as many as 750 million of the 7 billion SIM-carded devices in the world vulnerable to attack. Not just your average hacking shenanigans – if your phone’s SIM card is compromised, it’s the phone equivalent of identity theft. An intruder can do a lot of damage.

A SIM card – or Subscriber Identity Module – tells your wireless carrier who you are and that you can be trusted. Hackers who exploit your SIM could access your wireless carrier account, some texts and contacts, and your network identification information. Using this info, they could modify your carrier account, reroute your phone calls, clone your phone number to another phone, steal your payment credentials (including some NFC payment apps), change your voicemail, send out texts as you, and obtain your exact location by pinging your carrier, among other things. The list of vile acts possible with SIM access is high, and breaking into your phone is almost as easy as sending a text message.

AT&T, Sprint, T-Mobile, and Verizon users are safe

Luckily, you may not have to worry. Despite the many vague and scary reports circulating, if you live in the United States, your SIM card (that little card that usually sits under your phone’s battery) is probably not at risk of being hacked.

Representatives from all four major wireless carriers in the United States – AT&T, Sprint, T-Mobile, and Verizon – have confirmed with Digital Trends that they do not use the older, 56-bit DES (Data Encryption Standard) SIMs that are vulnerable to Nohl’s exploit. This aging standard from 1977 is still used in some areas around the world, and is far less secure than newer 1998 standards like AES (Advanced Encryption Standard) and Triple DES. This means that the vast majority of subscribers in the United States are safe. Most smaller carriers like Virgin, Boost, Ting, and others piggy back off of the major carrier networks, making them safe from this exploit as well.

If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe.

Sprint and Verizon, which didn’t use SIM cards at all until they began deploying high-speed 4G LTE networks, told us that “100 percent” of their SIM cards use newer, safer encryption standards.

“Verizon SIM cards are not vulnerable to this potential attack because of the way they are designed and manufactured,” said a Verizon representative. “We take the privacy and security of our customers very seriously, and will continue to work with our SIM card vendors, industry groups, and others to prevent and thwart any security concerns.”

AT&T and T-Mobile did use the vulnerable DES standard in the past, but have used Triple DES for many years. AT&T representatives said that it has not used the hackable standard for “nearly a decade.” T-Mobile hasn’t used it for “at least seven years.” If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe. T-Mobile representatives also confirmed with us that Metro PCS subscribers are safe, as well.

Another reason not to worry

But what should you do if you aren’t using one of the big U.S. carriers or a smaller provider that uses one of their networks? Should you be worried? Nohl says everyone should stay calm.

“For the moment, there is no reason to be concerned, as criminals will likely take months to reimplement the research results,” Nohl tells Digital Trends. “If, by the time they do, networks have not implemented network defenses or upgraded their SIMs remotely, it may be time to ask for a new SIM.”  He adds, “Abuse is likely still months away,” and that SR Labs shared results “several months ago and have been in a very constructive dialogue with the carries ever since.”

Nohl’s team spent three years and tested more than 1,000 SIM cards to discover the bug. Nohl will speak in more detail about the vulnerability at the BlackHat security conference on August 1, 2013.

What to do if you’re still worried

If you don’t live in the United States, or don’t know the status of your carrier, your best bet is to call your mobile carrier and ask.

“Asking the service provider for more information is currently the best option,” said Roel Schouwenberg, senior security researcher at Kaspersky Lab. “Hopefully they will move quickly and provide more information on their websites shortly.”

“This news should serve as a wake-up call to any service providers that are still using outdated technology,” adds Schouwenberg, “as well as highlight the importance of pushing out new security developments when possible.”

Schouwenberg points out that there is no quick fix for this SIM card exploit if you have it. Phones affected by the SIM card vulnerability (like older flip phones) do not have access to any form of security software that could help prevent attacks. But if you’re in the United States, you’re likely safe. If you’re not, you have a few months to switch to a more up-to-date carrier.

Updated on 7-25-2013 by Jeffrey Van Camp: We can confirm that Metro PCS also uses Triple DES, so users of that service, which is now owned by T-Mobile, are safe from this vulnerability.

Article originally published 7-24-2013.


Think iPhones can’t get viruses? Our expert explains why it could happen

If your iPhone has been acting strangely, then you may be concerned about the possibility it is infected with a virus or some malware. We take a look at just how likely that is and explain why iOS is considered relatively safe.

Google Fi: Phones, plans, pricing, perks, and more explained

Google's wireless service, formerly Project Fi, now goes by the name of Google Fi, and it's now compatible with a majority of Android phones, as well as iPhones. Here's everything you need to know about Google Fi.

Sending SMS messages from your PC is easier than you might think

Texting is a fact of life, but what to do when you're in the middle of something on your laptop or just don't have your phone handy? Here's how to send a text message from a computer, whether you prefer to use an email client or Windows 10.

Free yourself! How to unlock a phone from the icy hands of your wireless carrier

Do you want to know how to unlock a phone through your carrier or a third-party service like DoctorSIM? Regardless of which way you want to go, we've compiled a list of requirements and methods for doing so.
Home Theater

Here are some common AirPods problems, and how to fix them

Apple’s AirPods are among the best fully wireless earbuds we’ve seen, but they’re not perfect. If you’re having trouble, take a look at our guide to the most common problems and what you can do to fix them.

Spring is here, and Apple’s beautiful new Watch bands will help you celebrate

Apple knows that seasons matter in the fashion world, and has refreshed its most popular Apple Watch bands to celebrate the arrival of spring. See them all, including our new favorite teal versions, here.
Product Review

There’s almost nothing bad to say about the Mi Mix 3, but you still shouldn’t buy it

The Xiaomi Mi Mix 3 is good-looking, really well made, packed with features, and is a powerful, modern, desirable smartphone. But you probably shouldn’t buy it. Why? Nothing wrong with the device itself, but Xiaomi itself is mostly to…

Google hit with another fine by the EU, this time for $1.7 billion

Google has been fined for the third time by the EU, this time for breaching antitrust laws by requiring third-party websites using its search function to prioritize its ads over competitors.

Get your hands (and ears) on Apple’s new AirPods — here’s where to find them

Apple's new AirPods with wireless charging are the latest version of the much-loved wireless earbuds. Unfortunately, they aren't widely available yet. Here's where you can find them right now, and where they will show up soon.

You can now use the innovative Red Hydrogen One on Google Fi

The Red Hydrogen One was first announced in 2017 and has been delayed a few times since then. Now, the Red Hydrogen One is finally available, featuring a Qualcomm Snapdragon 835, 6GB of RAM, and 128GB of storage.

Apple’s AirPower wireless charging mat may be coming soon

At its September event in 2017, Apple unveiled the AirPower, a new wireless charging mat that will allow you to charge multiple devices at one time. It has not yet been released. Here's everything we know about the device so far.

The best Apple AirPods alternatives for Android, Windows, and iOS devices

Apple AirPods might be new and improved, but they aren't the only game in town. Other makers are offering their own truly wireless earbuds, with attractive features. These are the best AirPod alternatives on the market today.

Here are 20 portable tech gadgets you’ll want to use every day

If you're looking for portable tech to keep you charged up while on the go (or for some great small gift ideas), we've rounded up 20 must-have gadgets. You'll find everything from a mini gaming controller to a folding Bluetooth keyboard.

The latest Google Doodle lets you create Bach-like music of your own

Google is celebrating the life of German composer Johann Sebastian Bach, and to that end the company has released a new Google Doodle that allows you to create Bach-like melodies and harmonies of your own.