SIM card manufacturers (and the secure IC manufacturers) employ a variety of security and encryption methods to protect data and prevent physical and logical attacks on the cards. DES has been known to be used although it is difficult to say on what proportion of cards this is still employed as a standalone method of encryption (I am trying to verify this with MNO and vendor contacts). It is safe to say that high-end cards typically employ 3DES and AES, and in some instances PKI as used in our e-passports. As well as meeting the requirements of groups representing the major payment card brands and high value multimedia content; some are also being tested to house government ID cards and all these applications require the highest levels of security for SIM cards and devices.
I am currently trying to establish how widely DES is used as a standalone solution and whether this affects only those SIM cards between the high-end mentioned above and those that have a native OS and do not use open Java Card standards. Initially I think that this is a relatively small proportion of the market and would only be applicable to in the region of 10% of cards being deployed. It would appear to vary by country and network, depending on the types of services offered. Those native OS cards are found in the (very) low-end devices, typically in emerging markets and so any vulnerabilities will be limited to the level just above those, i.e. more than basic voice and data users but not those using higher level content and services. This again limits the level of threat as this group would not typically have high value data or financial transactions which fraudsters or criminals would target.
My major concern is that there has been no offical response from the industry body representing the SIM card manufacturers. The SIMalliance has not published a response to news of the hack that broke late last week and neither has the GSM Association, the industry body for MNOs (although it has been working behind the scenes to advise its members of the vulnerability and the corrective efforts required).
Another point to consider is that the SIMs are not a standalone solution. Some OEMs have their own solutions and encryption built-in to their devices and this is being advanced with the work to establish Trusted Execution Environments (TEEs) as a standardised feature in smartphones and tablets. If anything this may garner more support behind such efforts.
My personal feeling is that the level of threat is minimal. Any risk will be borne by the MNOs as they are the ones offering the SIMs and services and therefore it would be their responsibility to cover any losses suffered by their customers. For this reason, and the fact that it took three years to find this breach (so any replication will not happen overnight), I think that MNOs and their suppliers will have upgraded the necessary SIM cards and software well in advance of this threat becoming an issue for subscribers.
