BY Iain Thomson
Black Hat 2015 In February, whistleblower Edward Snowden revealed that the NSA and GCHQ hacked one of the world’s biggest SIM card manufacturers to clone cards and crack encryption, but research revealed at Black Hat shows they needn’t have bothered.
Yu Yu (yes, that is my real name, he joked) is a research professor with Shanghai Jiao Tong University who has spent the last year finding out how to crack the encryption codes on 3G and 4G cards. These use AES-128, which is supposed to be virtually unbeatable by a brute-force attack, but turns out to be easy to defeat using side-channel analysis.
Side-channel attacks measure things like power consumption, electromagnetic emissions, and heat generation to work out what is going on in a chip. The technique has been around for years, and requires physical access to the target device.
Yu and his team assembled an oscilloscope to track the power levels, a MP300-SC2 protocol analyzer to monitor data traffic, a self-made SIM card reader, and a standard PC to correlate the results. With this simple setup they cracked eight commercial SIM cards in between 10 and 80 minutes.
The cracking system couldn’t read encryption key straight off the cards. Instead the team isolated 256 sections of the key and matched those to the power state displayed by the SIM card.
This does require a fair amount of computation and a little bit of luck. But once the system had been perfected it became comparatively easy to break the encryption keys and thus clone the card.
Yu demonstrated how the cloned SIM card can successfully impersonate the owner in class. He also showed how a cloned card could change the password on an Alipay (China’s largest 3rd party payments system) and potentially drain the account.
The hack demonstrated the need for physical security by mobile phone users, as well as digital security, Yu said. Given the speed and ease of the crack, the intelligence services will be very interested in his technique.