Report: Massive SIM card hack does not affect most U.S. phone owners

Sim Cards

Earlier this week, Karsten Nohl, a security researcher at SR Labs, revealed his discovery of a massive hole in SIM card encryption that could leave as many as 750 million of the 7 billion SIM-carded devices in the world vulnerable to attack. Not just your average hacking shenanigans – if your phone’s SIM card is compromised, it’s the phone equivalent of identity theft. An intruder can do a lot of damage.

A SIM card – or Subscriber Identity Module – tells your wireless carrier who you are and that you can be trusted. Hackers who exploit your SIM could access your wireless carrier account, some texts and contacts, and your network identification information. Using this info, they could modify your carrier account, reroute your phone calls, clone your phone number to another phone, steal your payment credentials (including some NFC payment apps), change your voicemail, send out texts as you, and obtain your exact location by pinging your carrier, among other things. The list of vile acts possible with SIM access is high, and breaking into your phone is almost as easy as sending a text message.

AT&T, Sprint, T-Mobile, and Verizon users are safe

Luckily, you may not have to worry. Despite the many vague and scary reports circulating, if you live in the United States, your SIM card (that little card that usually sits under your phone’s battery) is probably not at risk of being hacked.

Representatives from all four major wireless carriers in the United States – AT&T, Sprint, T-Mobile, and Verizon – have confirmed with Digital Trends that they do not use the older, 56-bit DES (Data Encryption Standard) SIMs that are vulnerable to Nohl’s exploit. This aging standard from 1977 is still used in some areas around the world, and is far less secure than newer 1998 standards like AES (Advanced Encryption Standard) and Triple DES. This means that the vast majority of subscribers in the United States are safe. Most smaller carriers like Virgin, Boost, Ting, and others piggy back off of the major carrier networks, making them safe from this exploit as well.

If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe.

Sprint and Verizon, which didn’t use SIM cards at all until they began deploying high-speed 4G LTE networks, told us that “100 percent” of their SIM cards use newer, safer encryption standards.

“Verizon SIM cards are not vulnerable to this potential attack because of the way they are designed and manufactured,” said a Verizon representative. “We take the privacy and security of our customers very seriously, and will continue to work with our SIM card vendors, industry groups, and others to prevent and thwart any security concerns.”

AT&T and T-Mobile did use the vulnerable DES standard in the past, but have used Triple DES for many years. AT&T representatives said that it has not used the hackable standard for “nearly a decade.” T-Mobile hasn’t used it for “at least seven years.” If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe. T-Mobile representatives also confirmed with us that Metro PCS subscribers are safe, as well.

Another reason not to worry

But what should you do if you aren’t using one of the big U.S. carriers or a smaller provider that uses one of their networks? Should you be worried? Nohl says everyone should stay calm.

“For the moment, there is no reason to be concerned, as criminals will likely take months to reimplement the research results,” Nohl tells Digital Trends. “If, by the time they do, networks have not implemented network defenses or upgraded their SIMs remotely, it may be time to ask for a new SIM.”  He adds, “Abuse is likely still months away,” and that SR Labs shared results “several months ago and have been in a very constructive dialogue with the carries ever since.”

Nohl’s team spent three years and tested more than 1,000 SIM cards to discover the bug. Nohl will speak in more detail about the vulnerability at the BlackHat security conference on August 1, 2013.

What to do if you’re still worried

If you don’t live in the United States, or don’t know the status of your carrier, your best bet is to call your mobile carrier and ask.

“Asking the service provider for more information is currently the best option,” said Roel Schouwenberg, senior security researcher at Kaspersky Lab. “Hopefully they will move quickly and provide more information on their websites shortly.”

“This news should serve as a wake-up call to any service providers that are still using outdated technology,” adds Schouwenberg, “as well as highlight the importance of pushing out new security developments when possible.”

Schouwenberg points out that there is no quick fix for this SIM card exploit if you have it. Phones affected by the SIM card vulnerability (like older flip phones) do not have access to any form of security software that could help prevent attacks. But if you’re in the United States, you’re likely safe. If you’re not, you have a few months to switch to a more up-to-date carrier.

Updated on 7-25-2013 by Jeffrey Van Camp: We can confirm that Metro PCS also uses Triple DES, so users of that service, which is now owned by T-Mobile, are safe from this vulnerability.

Article originally published 7-24-2013.


Protect your iPhone or iPad with the IPVanish VPN, on sale through February

One of our favorite virtual private networks for iPhones and iPads, IPVanish, is now offering a huge discount on its two-year subscription as part of its 7th-birthday promotion. Read on to find out more about how this VPN works and how you…

Samsung Galaxy S10 vs. Google Pixel 3: Can Samsung beat the stock Android king?

The Samsung Galaxy S10 is here, offering modern specs, a beautifully high-resolution display, and an edge-to-edge design with a small cutout in the display for the front-facing camera. But can the phone take out the Google Pixel 3?

You can now pre-order the Samsung Galaxy S10, S10 Plus, or S10e

The Samsung Galaxy S10 is one of the most-anticipated phones of the year, offering a new chipset, beautiful display, and more. Now that the phone has been announced you might be wondering where you can get it for yourself.

Samsung Galaxy S10 vs. Galaxy S9: How much better is Samsung’s new flagship?

You'd naturally expect the Samsung Galaxy S10 to be better than last year's S9, but just how do the two phones differ? We break down the specs and compare Samsung's flagships in various categories to pick a winner.

Samsung Galaxy S10 vs. S10 Plus vs. S10e vs. S10 5G: Which should you buy?

With four stunning Galaxy S10 phones to choose from, Samsung is bombarding us with choice, but which one should you buy? We compare the S10, S10 Plus, S10e, and S10 5G in various categories to find out exactly how they differ.

Verizon is launching real standards-based 5G in 30 cities in 2019

Verizon is in the midst of a massive 5G rollout. In addition to fixed 5G service, it will also begin deploying mobile 5G in the coming months. Here's everything you need to know about Verizon's 5G network and when it will be in your town.

Samsung’s wide range of Galaxy products means there’s something for everyone

Samsung launched a host of new products on February 20, with prices ranging from just $35, all the way up to nearly $2,000. This was not by chance, and the company believes it has something for everyone in 2019.

Stay fit and save cash with our top 10 affordable Fitbit alternatives

As much as we love Fitbits, they're rather expensive. If all you want is a simple activity tracker, however, then check out these great cheap Fitbit alternatives. With offerings from brands like Garmin, you don't need to pay full price.

Samsung Galaxy S10e vs. OnePlus 6T: Can the Flagship Killer survive?

The Samsung Galaxy S10e is the new affordable flagship on the block, but at $750, it's $200 more than the OnePlus 6T. Does the Flagship Killer stand a chance against the new generation of flagship devices? Let's take a closer look.

Make some time for the best smartwatch deals for February 2019

Smartwatches make your life easier by sending alerts right on your wrist. Many also provide fitness-tracking features. So if you're ready to take the plunge into wearables and want to save money, read on for the best smartwatch deals.
Product Review

Samsung’s Galaxy Buds are a brilliant combination of value and comfort

With six hours of battery life, an extremely comfortable fit, sweatproofing, and a very palatable price tag, Samsung’s Galaxy Buds are putting all other true wireless earbuds on notice.

Amazon drops a sweet deal on the Kate Spade Scallop smartwatch for women

Unlike many other smartwatches geared toward women, the Kate Spade Scallop offers a more chic and minimalistic look. With this Amazon sale going on right now, you can get it for $109 off its retail price.

Lyft’s Shared Saver service offers cheaper rides, but you’ll have to walk a little

Lyft has launched a new ride option called Shared Saver that offers cheaper rides if you're willing to walk a little. Shared Saver designates a nearby pick-up point and drops you off a short distance from your final destination.

The 5 best Apple AirPods alternatives for Android, Windows, and iOS devices

Apple AirPods, nice as they are, aren't the only game in town. Other makers are offering their own truly wireless earbuds, and if you're looking to buy a pair of high-end in-ear headphones, we've got the best AirPod alternatives on the…