Stolen SIM card keys could be powerful spy tool (Update)

February 20, 2015

A report citing leaked documents from former NSA contractor Edward Snowden said the US and British spy agencies "hacked into" the European manufacturer Gemalto to gain encryption keys for a large share of the SIM cards used for mobile phones
It would be another powerful tool in the arsenal of US and British spy services: encryption keys for a large share of the SIM cards used for mobile phones.

A report by the investigative news website The Intercept, citing leaked documents from former National Security Agency contractor Edward Snowden, said the US and British agencies "hacked into" European manufacturer Gemalto to gain these keys.

The report, if accurate, could allow the NSA and its British counterpart GCHQ to secretly monitor a large portion of global communications over mobile devices without using a warrant or wiretap.

"This is a huge deal," said Bruce Schneier, a cryptographer who is chief technology officer at the security firm Resilient Systems, and a fellow at Harvard's Berkman Center.

"The things that are the most egregious are when the NSA hacks everybody to get a few people," Schneier told AFP.

"They're getting encryption keys of everybody, including you and me. It's a scorched earth policy."

The report suggests the intelligence services could have access to a wider range of communications than has been previously reported. Other documents have indicated that the NSA can monitor email and traditional phone communications.

Schneier said the report is credible and probably indicates other SIM card makers were hacked as well.

"Do we think this is the only company? Odds are low," he said.

David Perry, threat strategist at the security firm F-Secure, called the revelations "the biggest story on mobile privacy we've seen so far."

The report is troubling, Perry said, because of the methods described.

"Intelligence services are hacking all the time," he said. "What concerns me is that they would go into a factory and spoil the security at the point of origination."

The NSA did not immediately respond to requests for comment.

Gemalto said in a statement that it takes the matter "very seriously and will devote all resources necessary to fully investigate" the allegations.

It added that the intended target was "not Gemalto, per se—it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible."

Unanswered questions

Yet the report leaves many questions unanswered, and some experts were cautious about jumping to conclusions about the documents.

"One of the reasons I'm skeptical is that different governments have been using other methods to grab communications and wireless data which are unsecured to begin with," said Darren Hayes, director of cybersecurity at Pace University's School of Computer Science and Information Systems.

"I'm not sure that the US or UK governments would use hackers in the same way that the Chinese or Russians are doing."

Schneier said more information is needed to know exactly what the encryption keys would provide, but says it is likely that they would allow access to the phone communications rather than the data transfer, so SMS or voice messages might be accessed but not Skype or other Internet-based services.

"I think the company should do what Sony did (after being hacked)—hire a forensics team," Schneier said.

"We need details on how this was done and what can be done to remedy it."

Greg Nojeim, a lawyer for the Center for Democracy & Technology, a digital rights organization, said the revelation suggests privacy of people around the world is at risk.

"Almost everyone in the world carries cell phones and this is an unprecedented mass attack on the privacy of citizens worldwide," Nojeim said.

"While there is certainly value in targeted surveillance of cell phone communications, this coordinated subversion of the trusted technical security infrastructure of cell phones means the US and British governments now have easy access to our mobile communications."

John Pirc, co-founder of the Virginia-based security firm Bricata, said the report is "plausible" and, if true, could undermine confidence in mobile communications.

"If someone had access to the SIM card and put malware on it, that means anyone can get in," Pirc said.

He added that the revelations could end up hurting manufacturers or carriers if they fail to take steps to correct any security weaknesses.

"If this turns out to be true, every consumer should ask for a new SIM card," Pirc said.

Explore further: Rights groups call for action over reported US-UK phone hack

Related Stories

Dutch SIM card maker investigating reported UK-US hack

February 20, 2015

A Dutch company that makes SIM cards for cellular phones says it is investigating reports that it was hacked by Britain's electronic spying agency in cooperation with the U.S. National Security Agency.

NSA has 'industrial scale' malware for spying

March 12, 2014

The National Security Agency has developed malware that allows it to collect data automatically from millions of computers worldwide, a report based on leaked documents showed Wednesday.

NSA eyes encryption-breaking 'quantum' machine

January 3, 2014

The US National Security Agency is making strides toward building a "quantum computer" that could break nearly any kind of encryption, The Washington Post reported Thursday.

US spy agency patents car seat for kids

July 30, 2014

Electronic eavesdropping is the National Security Agency's forte, but it seems it also has a special interest in children's car seats, Foreign Policy magazine reported Wednesday.

Recommended for you

Privacy becomes a selling point at tech show

January 7, 2019

Apple is not among the exhibitors at the 2019 Consumer Electronics Show, but that didn't prevent the iPhone maker from sending a message to attendees on a large billboard.

China's Huawei unveils chip for global big data market

January 7, 2019

Huawei Technologies Ltd. showed off a new processor chip for data centers and cloud computing Monday, expanding into new and growing markets despite Western warnings the company might be a security risk.

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Feb 21, 2015
"If this turns out to be true, every consumer should ask for a new SIM card," Pirc said.

Who will pay the bill of these new SIMs? And how can we know that the new ones are any more secure? I think we should wait until manufacturers get their security fixed, then it may be worth the trouble.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.