A German mobile security expert has discovered a flaw in the encryption technology used in some SIM cards that allows cyber criminals to take control of your phone remotely, The New York Times reported.

Karsten Nohl, founder of Security Research Labs in Berlin said the encryption flaw allowed outsiders to obtain a SIM card key - a 56 digit 'passcode' that when entered gave hackers free reign to modify information on the chip.

Nohl said he was able to send a virus to the SIM card via text message that allowed him to eavesdrop on phone calls, make mobile phone payments and even impersonate the phone's owner.

"We can remotely install software on a handset that operates completely independently from your phone," Mr. Nohl told the New York Times. "We can spy on you. We know your encryption keys for calls. We can read your SMS's. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."

Mr Nohl said the flaw was the result of an old encryption method developed in the 1970s called Data Encryption Standard (DES). Some mobile phone networks use stronger encryption methods but many still run the old standard. After discovering the flaw he tested its pervasiveness by testing about 1000 SIM cards on mobile phone networks on Europe and North America over a period of two years.

Mr Nohl said that the security flaw was found on around one quarter of the SIM cards running DES.

DES encryption is used in about three billion phones that are used daily. The researcher estimated that about 750 million phones are open to attack.

Mr Nohl shared his findings with the GSM Association, a London organisation that represents the mobile industry.

The GSM Association was unable to tell news.com.au whether Australian users were affected by the breach but says that it was likely only a minority of mobile phones "could be vulnerable".

"It would appear that a minority of SIMs produced against older standards could be vulnerable," a spokesperson told news.com.au.

"There is no evidence to suggest that today's more secure SIMs, which are used to support a range of advanced services, will be affected," a spokeswoman said.
"The mobile industry and its users benefit from the high security standard provided by SIM cards. The SIM has proved to be a secure method to authenticate users and enable the portability of services between devices from the inception of GSM technology."

"The GSMA takes the security of SIM Cards very seriously and has Working Groups that follow these developments. We continue to work with our mobile operator members and the SIM providers to minimise any potential risks."

A spokesperson for Optus told news.com.au that after investigating the issue, it is confident that the vast majority of Optus customers are using SIM cards that are not at risk.

However, it could not rule out the possibility entirely.

"We are currently working with all our SIM card partners to confirm all relevant information in relation to the issue," the spokesperson said.

Telstra too wouldn't comment directly about whether its customers were affected but said that it "takes the security of all our customers very seriously".

"We work closely with our vendors and supply chain to make sure we address known security risks, and the SIM cards we issue our customers are secure," the spokesperson said.

Vodafone declined to comment.

###