The majority of GSM phones can be cloned in just a minute or two, IBM says

IBM researchers released a report on Tuesday showing that some cell phones' security cards could be cloned in minutes, letting hackers make calls and route charges to the cloning victim's account.

The hacking technique studied by the researchers, known as a partitioning attack, analyses power fluctuations in a phone's security identification module (SIM) card, allowing an attacker to divine the security codes stored inside.

However, the technique only works on the first-generation of global system for mobile communications (GSM) phones and requires that the attacker have physical access to the phone for at least a minute or two.

"It is not a 'sky is falling' announcement," IBM's Charles Palmer said of the report. "It says that this is a problem." Palmer is IBM's Research department group manager for security, privacy and cryptography.

If such a bypassing technique, or some other hack, were to be used widely, digital thieves could create SIM cards for phones that would route charges to a victim's account.

A game of seven questions
The technique, to be outlined in a paper that will be presented at the IEEE Symposium on Security and Privacy next week, requires a computer, a SIM card reader and the right program. The program asks the target card seven specific "questions", and it analyses the signals from the card to determine how it's processing the queries. By analysing the electromagnetic field changes and power fluctuations, the researchers can divine the card's cryptographic identity.

"Basically, I get to ask the card seven questions, and that is enough to copy the card," Palmer said. "I still have to guess the PIN, but that's easy."

Once a card is cloned, the password, generally a four-digit PIN, is necessary to unlock the information. Yet, a thief could easily try all 10,000 combinations with the newly cloned card.

Just smoke and mirrors?
At least one analyst doesn't think much of the announced security break.

"It's like saying if someone gets your credit card, they can commit credit card fraud," said Roger Entner, program manager for the Yankee Group consultancy. "If you let them disappear with your phone, of course it's going to get cloned."

Entner also pointed out that GSM is not yet widely used in the United States. VoiceStream has released about 7.5 million of the phones, while Cingular and AT&T are building out their GSM networks.

However, GSM is very successful worldwide, accounting for some 70 percent of all phones. And, while many companies are shipping version 2 and 3 of the GSM standard on their SIM cards, the majority of the phones in use today are GSM 1 phones.

In fact, when Palmer and his cohorts went to stores to buy phones with different versions of the GSM specification, only version 1 phones were found.

IBM Research has designed a technical fix to defend against such attacks, but it's not known how IBM intends to license the new technique to manufacturers. For cell phone owners, though, protection is easy: Don't loan your phone to strangers.

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.