A flaw has been discovered in the security of 500 million mobile phones that could make them vulnerable to attack, cyber researchers have said.
The bug, discovered by German firm Security Research Labs, allows hackers to remotely gain control of and also clone certain mobile SIM cards.
Hackers could use compromised SIMs to commit financial crimes or engage in espionage. The technique will be presented at the Black Hat hacking conference that opens in Las Vegas on July 31.
The UN’s Geneva-based International Telecommunications Union, which has reviewed the research, has described it as “hugely significant”.
“These findings show us where we could be heading in terms of cybersecurity risks,” said ITU Secretary General Hamadoun Touré.
He said the agency would notify telecommunications regulators and other government agencies in nearly 200 countries about the potential threat and also reach out to hundreds of mobile companies, academics and other industry experts.
Karsten Nohl, the chief scientist who led the research team, said the hacking only works on SIMs that use an old encryption technology known as DES.
However, that technology is still used on at least one out of eight SIMs, or a minimum of 500 million phones, according to Nohl.
Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone, said Nohl, who has a doctorate in computer engineering from the University of Virginia.
“We become the SIM card. We can do anything the normal phone users can do,” he said. “If you have a MasterCard number or PayPal data on the phone, we get that too.”
He said mobile users in Africa could be among the most at risk because banking is widely done through mobile payment systems with credentials stored on SIMs.
A spokeswoman for the GSMA, which represents nearly 800 mobile operators worldwide, said it had also reviewed the research.
“We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted,” said GSMA spokeswoman Claire Cranton.