Report: Massive SIM card hack does not affect most U.S. phone owners

Sim Cards

Earlier this week, Karsten Nohl, a security researcher at SR Labs, revealed his discovery of a massive hole in SIM card encryption that could leave as many as 750 million of the 7 billion SIM-carded devices in the world vulnerable to attack. Not just your average hacking shenanigans – if your phone’s SIM card is compromised, it’s the phone equivalent of identity theft. An intruder can do a lot of damage.

A SIM card – or Subscriber Identity Module – tells your wireless carrier who you are and that you can be trusted. Hackers who exploit your SIM could access your wireless carrier account, some texts and contacts, and your network identification information. Using this info, they could modify your carrier account, reroute your phone calls, clone your phone number to another phone, steal your payment credentials (including some NFC payment apps), change your voicemail, send out texts as you, and obtain your exact location by pinging your carrier, among other things. The list of vile acts possible with SIM access is high, and breaking into your phone is almost as easy as sending a text message.

AT&T, Sprint, T-Mobile, and Verizon users are safe

Luckily, you may not have to worry. Despite the many vague and scary reports circulating, if you live in the United States, your SIM card (that little card that usually sits under your phone’s battery) is probably not at risk of being hacked.

Representatives from all four major wireless carriers in the United States – AT&T, Sprint, T-Mobile, and Verizon – have confirmed with Digital Trends that they do not use the older, 56-bit DES (Data Encryption Standard) SIMs that are vulnerable to Nohl’s exploit. This aging standard from 1977 is still used in some areas around the world, and is far less secure than newer 1998 standards like AES (Advanced Encryption Standard) and Triple DES. This means that the vast majority of subscribers in the United States are safe. Most smaller carriers like Virgin, Boost, Ting, and others piggy back off of the major carrier networks, making them safe from this exploit as well.

If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe.

Sprint and Verizon, which didn’t use SIM cards at all until they began deploying high-speed 4G LTE networks, told us that “100 percent” of their SIM cards use newer, safer encryption standards.

“Verizon SIM cards are not vulnerable to this potential attack because of the way they are designed and manufactured,” said a Verizon representative. “We take the privacy and security of our customers very seriously, and will continue to work with our SIM card vendors, industry groups, and others to prevent and thwart any security concerns.”

AT&T and T-Mobile did use the vulnerable DES standard in the past, but have used Triple DES for many years. AT&T representatives said that it has not used the hackable standard for “nearly a decade.” T-Mobile hasn’t used it for “at least seven years.” If you happen to own a phone that’s bordering on seven years old, go buy a new one. Otherwise, you’re safe. T-Mobile representatives also confirmed with us that Metro PCS subscribers are safe, as well.

Another reason not to worry

But what should you do if you aren’t using one of the big U.S. carriers or a smaller provider that uses one of their networks? Should you be worried? Nohl says everyone should stay calm.

“For the moment, there is no reason to be concerned, as criminals will likely take months to reimplement the research results,” Nohl tells Digital Trends. “If, by the time they do, networks have not implemented network defenses or upgraded their SIMs remotely, it may be time to ask for a new SIM.”  He adds, “Abuse is likely still months away,” and that SR Labs shared results “several months ago and have been in a very constructive dialogue with the carries ever since.”

Nohl’s team spent three years and tested more than 1,000 SIM cards to discover the bug. Nohl will speak in more detail about the vulnerability at the BlackHat security conference on August 1, 2013.

What to do if you’re still worried

If you don’t live in the United States, or don’t know the status of your carrier, your best bet is to call your mobile carrier and ask.

“Asking the service provider for more information is currently the best option,” said Roel Schouwenberg, senior security researcher at Kaspersky Lab. “Hopefully they will move quickly and provide more information on their websites shortly.”

“This news should serve as a wake-up call to any service providers that are still using outdated technology,” adds Schouwenberg, “as well as highlight the importance of pushing out new security developments when possible.”

Schouwenberg points out that there is no quick fix for this SIM card exploit if you have it. Phones affected by the SIM card vulnerability (like older flip phones) do not have access to any form of security software that could help prevent attacks. But if you’re in the United States, you’re likely safe. If you’re not, you have a few months to switch to a more up-to-date carrier.

Updated on 7-25-2013 by Jeffrey Van Camp: We can confirm that Metro PCS also uses Triple DES, so users of that service, which is now owned by T-Mobile, are safe from this vulnerability.

Article originally published 7-24-2013.


Google’s new $999 augmented reality smartglasses are ready for business

Google unveiled Google Glass Enterprise Edition 2, a new version of its business-focused augmented reality wearable. The company's smartglasses ship with a faster processor, an updated camera, and safety frames from Smith Optics.

FCC chairman and commissioner support the T-Mobile and Sprint merger

T-Mobile and Sprint are getting closer to merging. After a few failed attempts, the two companies announced their merger at the start of 2018. The new T-Mobile could be better positioned to take on the likes of Verizon and AT&T.

The best iOS games you can play offline on your iPhone and iPad

Even though we're always glued to our phones, we don't always have access to Wi-Fi or have steady service. Whether you're on a flight, riding the bus, or sitting in a waiting room, you can always play these excellent iOS games.

The Commerce Department implements a temporary reprieve to Huawei

Google has severed most of its partnerships with Huawei, after its addition to the "Entity List" of the U.S. Department of Commerce. Future Huawei devices will lose access to the Google Play Store, Chrome, and Android updates.

Need a new tablet? Here are the best iPad deals for May 2019

In the wide world of tablets, Apple is still the king. If you're on team Apple and just can't live without iOS, we've curated an up-to-date list of all of the best iPad deals currently available for May 2018.

Some Pixel 3a owners say their new phone is randomly shutting down

Some owners of Google's new Pixel 3a and Pixel 3a XL smartphones are complaining that their devices are randomly shutting down. The mid-range handsets hit the market just two weeks ago.
Product Review

It's a shame the U.S. banned Huawei. The new Honor 20 Pro is a kick-ass phone

Where does Honor go after the Honor View 20, the best device it has ever made? The answer is the Honor 20 Pro, which takes what made the View 20 great, and then improves on it by adding more camera lenses and shrinking the size.

Here's our first look at the Galaxy Note 10's centered selfie camera

The Samsung Galaxy S10 range was only just revealed, but Samsung is already working on the next big release. Not much is known about the Samsung Galaxy Note 10 just yet, but we do have a few details.

Best Memorial Day sales 2019: Walmart, Dell, and Home Depot start early

If you're looking to save big on some shiny new stuff for Memorial Day 2019, we've gathered everything you need to know into one place. Find out where to save the most money before the summer hits its stride.

OnePlus 7 Pro vs. Samsung Galaxy S10 Plus: Which Android powerhouse is for you?

If you're after a real powerhouse of a smartphone, then you've probably considered the Samsung Galaxy S10 Plus. But you could save yourself some cash by opting for the OnePlus 7 Pro. Find out what sets these phones apart in our comparison.

Adobe Premiere Rush now allows Android users to edit video without the laptop

After launching on desktop and iOS, Adobe Premiere Rush, a streamlined video editor, is now available on Android. Premiere Rush is designed for social media projects and non-professional editors.

The Honor 20 Pro is here with four camera lenses and a hole-punch screen

Honor has launched the Honor 20 Pro and the Honor 20 at an event taking place in London. The new smartphone is surprisingly compact, with an impressive four-lens camera for taking stunning shots, day or night.

Leaks show a new, bright cardinal red version of the Galaxy S10 and S10 Plus

Samsung 2019 flagship smartphone lineup is here, and there aren't just two phones as usual — there are four. There's the Galaxy S10, S10 Plus, as well as a new entry called the S10e, as well as the Galaxy S10 5G.
Product Review

Lenovo’s Smart Tab P10 offers Android and Alexa but masters neither

If you’ve always fancied a smart display, but you need an Android tablet as well, then the Lenovo Smart Tab P10 could be the affordable device you’ve been dreaming of. Yet obsolete software and mediocre performance hold it back.