Even almost two years after Edward Snowden made off with a cache of secret NSA documents, the gradual ongoing publication of these materials, complemented by independent research from information security experts has provided a unique insight into the extent of global surveillance programs run by the US intelligence agencies and their partners from various European countries. Carefully timed, they’ve provided an exciting and at the same time deeply disturbing reading for both IT experts and the general public.
In the recent period, it looked as if the trickle of news regarding our friends from NSA had almost dried out, but apparently, this was just “calm before the storm”. First, just a few days ago Kaspersky Lab published their extensive report on the “Equation group”, a seemingly omnipotent international group of hackers active for over a decade and known to utilize extremely sophisticated hacking tools, including the ability to infect hard drive firmware. Technical details of these tools reveal many similarities with Stuxnet and Flame, both now known to have been developed in collaboration with NSA. It was later confirmed by a former NSA employee that the agency indeed possesses and widely utilizes this technology for collecting their intelligence.
And even before the IT security community was able to regain its collective breath, The Intercept, the publication run by Edward Snowden’s closest collaborators, has unveiled an even bigger surprise. Apparently, back in 2010, American and British intelligence agencies were able to carry out a massive scale breach of mobile phone encryption in a joint operation targeting telecommunication companies and SIM card manufacturers.
If we are to believe the report, they have managed to penetrate the network of Gemalto, world’s largest manufacturer, shipping over 2 billion SIM cards yearly. Apparently, they not only resorted to hacking, but also ran a global surveillance operation on Gemalto employees and partners. In the end, they managed to obtain copies of secret keys embedded into SIM cards that enable mobile phone identification in providers’ networks, as well as encryption of phone calls. Having these keys, NSA and GCHQ are, in theory, able to easily intercept and decrypt any call made from a mobile phone, as well as impersonate any mobile device with a copy of its SIM card. As opposed to previously known surveillance methods (like setting up a fake cell tower), this method is completely passive and undetectable. By exploiting deficiencies of GSM encryption protocols, they are also able to decrypt any previously recorded call, even from years ago.
Since Gemalto doesn’t just produce SIM cards, but various other kinds of security chips, there is a substantial chance that these could have been compromised as well. Both Gemalto and its competitors, as well as other companies working in the industry, are now fervently conducting internal investigations to determine the extent of the breach. It’s worth noting that according to Gemalto’s officials, they hadn’t noticed any indications of the breach back then.
A side note: just another proof that even security professionals need better security tools to stay ahead of the intruders.
Now, what lesson should security experts, as well as ordinary people learn from this? First and foremost, everyone should understand that in the ongoing fight against information security threats everyone is basically on their own. Western governments, which supposedly should be protecting their citizens against international crime, are revealed to be conducting the same activities on a larger and more sophisticated scale (after all, intelligence agencies possess much bigger budgets and legal protection). Until now, all attempts to limit the intelligence agencies’ powers have been largely unsuccessful. The governments even go as far as to lie outright about the extent of their surveillance operations to protect them.
Another, more practical consideration is that the only solutions we can still more or less count on are complete end-to-end encryption systems where the whole information chain is controlled by users themselves, including secure management of encryption keys. Before practical quantum computers become available, breaking a reasonably strong encryption key is still much more difficult than stealing it. For any other communication channel, you should significantly reconsider your risk policies.