Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Gemalto investigates claims that gov’t spies hacked SIM card encryption keys

SIM card maker Gemalto has responded to claims made in recent Snowden leaks that government spies hacked encryption keys it used to protect cell phone communications.

In a Friday statement, Gemalto, which has headquarters in Austin, Texas as well as in France and Singapore, said it will “devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques” outlined in a Thursday article published in The Intercept.

Gemalto, the largest SIM card maker in the world, makes 2 billion SIM cards each year, which are then used in mobile devices distributed by major providers like Verizon, AT&T and Sprint.

The company was reportedly hacked in 2010 and 2011 by a operatives working for the National Security Agency (NSA) and its British equivalent GCHQ, leaks revealed. By utilizing intelligence from NSA's X-KEYSCORE program (which obtained emails hosted by SIM card, mobile firm and tech company servers), GCHQ operatives “cyberstalked Gemalto employees, scouring their emails in an effort to find people who may have had access to the company's core networks and Ki-generating [or encryption key-generating] systems,” The Intercept article said.

UK spies apparently targeted employees of other telecom companies and SIM card makers, in order to steal as many encryption keys for SIM cards as possible while they were “in transit between mobile network operators and SIM card personalization centres,” a leaked document from April 2010 revealed.

With the encryption keys, government spies could gain direct access to the cell phone communications of a large segment of the globe, specifically by unlocking protected SMS and phone calls without having to go through mobile service providers or foreign governments.

Tech companies have increasingly challenged secret government requests for consumers' communications, through legal provisions such as national security letters (NSLs).

On Tuesday, a group of major media organizations, including The Washington Post, National Public Radio (NPR), and BuzzFeed, as well as an internet company and mobile service provider (which were forced to remain anonymous) filed court documents in support of Twitter, which is fighting the U.S. government's use of NSLs to request customer data, while simultaneously invoking gag orders to keep companies from disclosing their demands.

The latest revelations that GCHQ and NSA allegedly targeted Gemalto show that government operatives may have found a way to avoid leaving any indications of their mass surveillance efforts, including through data requests backed by court orders.

In its statement, Gemalto referenced the wider implications of the claims that intelligence agencies had embarked upon a mission to access countless voice and data records by targeting technology manufacturers.

“The publication indicates the target was not Gemalto per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent,” the company said. “We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation."

In Friday email correspondence with SCMagazine.com, Jeremy Linden, senior security product manager at mobile security firm Lookout, explained how a party with stolen SIM encryption keys could use them to snoop on users' communications.

“If a party has accessed SIM encryption keys, they would be able to effectively decrypt text messages and actually open phone calls to listen-in on audio in real time,” Linden wrote. “Mobile data can also be intercepted, though sensitive network traffic should be protected by higher-level cryptographic protocols such as TLS. Most implementations of these protocols should not be directly affected by a SIM with compromised keys.”

He added that VoIP calling and text services could be used as a additional security step to avoid relying on SIM's encryption to protect communications.

“However, [for] better protection, you'd want to ensure this product is using end-to-end encryption. It's a slightly more cumbersome option, but you could set up an always-on VPN. Of course, this option would not help you protect your phone calls,” Linden added.

On Friday, Greg Nojeim, senior counsel for the Center for Democracy and Technology (CDT), issued a statement on the SIM card hacking incident, saying that “one of the few restraints on invasive government surveillance is the secure technical infrastructure of communications networks.”  

“This highlights the need for a global response to the threats of government surveillance,”  he added later. “We knew the NSA and GCHQ worked together closely, but the scale of their collaboration and the reach of their tentacles into everyone's communications is unnerving,” Nojeim said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.