LAS VEGAS — A well-known security expert said mobile carriers have quickly protected customers from a security bug that he revealed 10 days ago and that he estimated had put more than 500 million phones at risk of cyber attacks.
Karsten Nohl, chief scientist with Berlin's Security Research Labs, led a research team at the German firm that figured out a way to remotely gain control of and also clone some mobile SIM cards.
"Pretty much every carrier we have spoken to has fixed it," Nohl said in advance of a talk late Wednesday afternoon at the Black Hat hacking conference in Las Vegas.
The team was the first to accomplish the hacking feat, which has long been a Holy Grail of mobile hackers. The tiny, highly secured devices are located in phones and allow operators to identify and authenticate subscribers as they use networks.
He discussed that three-year research effort late Wednesday afternoon in one of the most anticipated talks at Black Hat, a conference where some 7,000 security professionals gathered to hear about the latest risks posed by hacking.
Nohl said at a news conference prior to that talk that he would not be able to demonstrate part of his technique for attacking SIM cards because he had prepared to show it on SIMs from five carriers, but that all five carriers had made changes to prevent them from being hacked.
Nohl is a so-called "white hat," or a hacker who figures out how to attack things in a bid to find vulnerabilities so that companies can fix bugs before criminals can exploit them.
He told Reuters that he was pleased that they had implemented the fix before his demonstration because that means they are ahead of criminal hackers, who could use compromised SIMs to commit financial crimes or engage in electronic espionage.
Nohl said that carriers have used methods to fix the bug in SIM cards without having to physically replace them, which would have been quite costly.
He said he was not sure whether all carriers around the world have fixed the bug, but that he had checked with many major carriers and that they had gone ahead and taken care of the security problem.
First published July 31 2013, 5:54 PM