Edward Snowden: US, British spies hacked cell phone SIM card encryption keys
The US National Security Agency (NSA) and Great Britain鈥檚 Government Communications Headquarters (GCHQ) hacked into the world's largest SIM card manufacturer, stealing encryption information, according to documents released by whistle-blower Edward Snowden and reported by The Intercept Thursday.
This gave the agencies the ability to secretly monitor a large portion of the world鈥檚 cellular communications, including both voice and data, according to The Intercept report,
鈥淲ith these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,鈥 the report asserts. 鈥淧ossessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider鈥檚 network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.鈥
Gemalto, the Netherlands-based company allegedly targeted, produces some 2 billion SIM (subscriber identity modules) cards a year used in mobile phones and next-generation credit cards.
Among its clients are AT&T, T-Mobile, Verizon, Sprint, and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas, and it has a large factory in Pennsylvania, according to The Intercept report.
鈥淎s part of the covert operations against Gemalto, spies from GCHQ 鈥 with support from the NSA 鈥 mined the private communications of unwitting engineers and other company employees in multiple countries,鈥 the report states.
The full impact of this latest revelation about the NSA may never be known. But if Snowden鈥檚 latest claim as reported by The Intercept is true, it raises questions about the security of cell phone voice and data communications around the world.
鈥淭he breach is disastrous for mobile security, which has historically already been on shaky ground,鈥 writes T.C. Sottek, senior news editor at The Verge, a technology news聽and media network.
鈥淥nce you have the keys, decrypting traffic is trivial,鈥 Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Intercept. 鈥淭he news of this key theft will send a shock wave through the security community.鈥
Officials at Gemalto say they knew nothing about the security breach聽until the company was聽contacted by The Intercept. After ordering its security team to look for signs of a breach on Wednesday, it found none, company officials told
鈥淚鈥檓 disturbed, quite concerned that this has happened,鈥澛爏aid Paul Beverly, an executive vice president at Gemalto. 鈥淲hat I want to understand is what sort of ramifications it has, or could have, on any of our customers.鈥
In a major speech on NSA data collection programs in January 2014, President Obama talked about the balance between national security and privacy rights. His mention of Edward Snowden was brief.
鈥淚鈥檓 not going to dwell on Mr. Snowden鈥檚 actions or his motivations,鈥 鈥淚 will say that our nation鈥檚 defense depends in part on the fidelity of those entrusted with our nation鈥檚 secrets. If any individual who objects to government policy can take it into their own hands to publicly disclose classified information, then we will not be able to keep our people safe, or conduct foreign policy. Moreover, the sensational way in which these disclosures have come out has often shed more heat than light, while revealing methods to our adversaries that could impact our operations in ways that we may not fully understand for years to come.鈥
This latest revelation comes on the heels of a new report by Russian research firm Kaspersky Lab, which says the US has found a way to hide spyware in almost any hard drive built by the world鈥檚 top computer manufacturers.
Five hundred infections in more 30 countries have been documented by the Moscow-based lab, with the highest levels of infection reported in聽Iran, Russia, Pakistan, and Afghanistan, the Monitor鈥檚 Jessica Mendoza reported this week. Manufacturers Western Digital Technologies, Samsung Electronics, and Seagate Technology are among the top brand names affected worldwide.
