* UN's ITU to issue advisory to nearly 200 nations
* Advisory is on risk identified by German researchers
* Researchers develop remote attack on mobile SIM cards
* Researchers say at least 500 million phones vulnerable
By Jim Finkle
BOSTON, July 21 (Reuters) - A United Nations group thatadvises nations on cybersecurity plans to send out an alertabout significant vulnerabilities in mobile phone technologythat could potentially enable hackers to remotely attack atleast half a billion phones.
The bug, discovered by German firm, allows hackers toremotely gain control of and also clone certain mobile SIMcards.
Hackers could use compromised SIMs to commit financialcrimes or engage in electronic espionage, according to Berlin'sSecurity Research Labs, which will describe the vulnerabilitiesat the Black Hat hacking conference that opens in Las Vegas onJuly 31.
The U.N.'s Geneva-based International TelecommunicationsUnion, which has reviewed the research, described it as "hugelysignificant."
"These findings show us where we could be heading in termsof cybersecurity risks," ITU Secretary General Hamadoun Tourétold Reuters.
He said the agency would notify telecommunicationsregulators and other government agencies in nearly 200 countriesabout the potential threat and also reach out to hundreds ofmobile companies, academics and other industry experts.
A spokeswoman for the GSMA, which represents nearly 800mobile operators worldwide, said it also reviewed the research.
"We have been able to consider the implications and provideguidance to those network operators and SIM vendors that may beimpacted," said GSMA spokeswoman Claire Cranton.
Nicole Smith, a spokeswoman for Gemalto NV, theworld's biggest maker of SIM cards, said her company supportedGSMA's response.
"Our policy is to refrain from commenting on detailsrelating to our customers' operations," she said.
BECOMING THE SIM
Cracking SIM cards has long been the Holy Grail of hackersbecause the tiny devices are located in phones and allowoperators to identify and authenticate subscribers as they usenetworks.
Karsten Nohl, the chief scientist who led the research teamand will reveal the details at Black Hat, said the hacking onlyworks on SIMs that use an old encryption technology known asDES.
Nohl said he conservatively estimates that at least 500million phones are vulnerable to the attacks he will discuss atBlack Hat. He added that the number could grow if otherresearchers start looking into the issue and find other ways toexploit the same class of vulnerabilities.
The ITU estimates some 6 billion mobile phones are in useworldwide. It plans to work with the industry to identify how toprotect vulnerable devices from attack, Touré said.
Once a hacker copies a SIM, it can be used to make calls andsend text messages impersonating the owner of the phone, saidNohl, who has a doctorate in computer engineering from theUniversity of Virginia.
"We become the SIM card. We can do anything the normalphone users can do," Nohl said in a phone interview.
"If you have a MasterCard number or PayPal data on thephone, we get that too," if it is stored on the SIM, he said.
The newly identified attack method only grants access todata stored on the SIM, which means payment applications thatstore their secrets outside of the SIM card are not vulnerableto this particular hacking approach.
Yet Nohl warned that when data is stored outside of a SIMcard it could fall victim to a large range of other alreadyknown vulnerabilities, which is what has prompted the industryto put payment information on SIMs in the first place.
IPHONE, ANDROID, BLACKBERRY
The mobile industry has spent several decades definingcommon identification and security standards for SIMs to protectdata for mobile payment systems and credit card numbers. SIMsare also capable of running apps.
Nohl said Security Research Labs found mobile operators inmany countries whose phones were vulnerable, but declined toidentify them. He said mobile phone users in Africa could beamong the most vulnerable because banking is widely done viamobile payment systems with credentials stored on SIMs.
All types of phones are vulnerable, including iPhones fromApple Inc, phones that run Google Inc's Android software and BlackBerry Ltd smartphones, hesaid.
BlackBerry's director of security response and threatanalysis, Adrian Stone, said in a statement that his companyproposed new SIM card standards last year to protect against thetypes of attacks described by Nohl, which the GSMA has adoptedand advised members to implement.
Apple and Google declined comment.
CTIA, a U.S. mobile industry trade group based inWashington, D.C., said the new research likely posed noimmediate threat.
"We understand the vulnerability and are working on it,"said CTIA Vice President John Marinho. "This is not what hackersare focused on. This does not seem to be something they areexploiting."
Vodafone (VOD)
