Wiesbaden, February 20th, 2015 – Yesterday, The Intercept, the publication run by Edward Snowden’s closest collaborators, published a report describing how NSA and GCHQ hacked into the internal computer network of Gemalto, the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect cell phone communications across the globe.
Alexei Balaganski, Senior Analyst at KuppingerCole, just published a blog post regarding this “Great SIM Heist”. The Intercept has unveiled that back in 2010, American and British intelligence agencies were able to carry out a massive scale breach of mobile phone encryption in a joint operation targeting telecommunication companies and SIM card manufacturers. They managed to penetrate the network of Gemalto, world’s largest manufacturer, shipping over 2 billion SIM cards yearly. Apparently, they not just resorted to hacking, but also ran a global surveillance operation on Gemalto employees and partners. In the end, they managed to obtain copies of secret keys embedded into SIM cards that enable mobile phone identification in providers’ networks, as well as encryption of phone calls. Having these keys, NSA and GCHQ are in theory able to easily intercept and decrypt any call made from a mobile phone, as well as impersonate any mobile device with a copy of its SIM card. As opposed to previously known surveillance methods (likes setting up a fake cell tower), this method is completely passive and undetectable. By exploiting deficiencies of GSM encryption protocols, they are also able to decrypt any previously recorded call, even from years ago.
Since Gemalto does not just produces SIM cards, but various other kinds of security chips, there is a substantial chance that they could have been compromised as well. Both Gemalto and its competitors, as well as other companies working in the industry, are now fervently conducting internal investigations to determine the extent of the breach. It is worth noting that according to Gemalto’s officials, they have not noticed any indications of the breach back then.
Balaganski mentions that first and foremost, everyone should understand that in the ongoing fight against information security threats everyone is basically on their own. Western governments, which supposedly should be protecting their citizens against international crime, are revealed to be conducting the same activities on a larger and more sophisticated scale. Until now, all attempts to limit the intelligence agencies’ powers have been largely unsuccessful. The governments even go as far as to lie outright about the extent of their surveillance operations to protect them.
KuppingerCole’s advice is therefore the following: “The only solutions we can still more or less count on are complete end-to-end encryption systems where the whole information chain is controlled by users themselves, including secure management of encryption keys. Breaking a reasonably strong encryption key is still much more difficult than stealing it.” For the other communication channels, the companies should significantly reconsider their risk policies.
The whole blog post as well as blogs from other KuppingerCole’s analysts can be found at blogs.kuppingercole.com. Journalists are kindly requested to send us specimen copies of any published articles or links to online publications referring to our articles.
Sonnenberger Strasse 16
Phone: +49 (0)211-237077-31
Fax: +49 (0)211-237077-11