Mobile security expert Karsten Nohl says that he has found a flaw in the encryption that many SIM cards use to hide their digital signature, and that this flaw could allow hackers to listen to phone calls, read messages, charge accounts, or install malware on smartphones without the owners’ knowledge, reports Kevin O’Brien of The New York Times.

Karsten Nohl

Karsten Nohl on mobile security

“We can spy on you,” said Karsten Nohl. “We know your encryption keys for calls. We can read your S.M.S.’s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account.”

The exploit works by sending a false request for verification to the SIM card. Most phones recognize that the message is fake and ignore it, but some sent an error message back to Nohl that contained enough information for him to determine the SIM card’s digital signature. With the digital signature in hand, Nohl has full access to the phone and can install software to do practically anything he wants.

Karsten Nohl recommends getting a new SIM card

The D.E.S. encryption standard was devised in the 1970s and used on all mobile phones until a few years ago. A new encryption standard called Triple D.E.S. does not have the same vulnerability, but not all carriers have upgraded to the new protocol. Even carriers that use Triple D.E.S. on newer phones often have legacy customers whose phones are vulnerable to attack. Only about a quarter of SIM cards that use the old D.E.S. encryption were vulnerable, but Nohl recommends that anyone whose SIM card is more than three years old request a replacement from their carrier.

Not the first time Karsten Nohl has donned a white hat

This isn’t the first time that Nohl has found problems with major encryption standards. In 2009 he developed software that could crack the 64-bit encryption used on GSM networks, forcing the industry to adopt more secure protocols. White hat hacking activities such as this can be controversial, but Nohl has taken measures to protect himself from accusations of abuse.

The tests he ran to confirm the exploit all belonged to him or his associates, and he will not publish a list of the operators whose SIM cards were vulnerable to the exploit. He has also been in communication with the GSM Association and others in the telecommunications industry so that carriers have time to address the flaw before its details are disclosed to the general public at a conference this August.

“We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted,” said GSM association spokeswoman Claire Cranton.