New reporting by The Intercept, based on documents leaked by whistleblower, reveals how spy agencies hacked world’s largest SIM card manufacturer
Explosive new reporting by The Intercept published Thursday, based on documents obtained by NSA whistleblower Edward Snowden, reveals how the U.S. spy agency and their British counterpart, the GCHQ, worked together in order to hack into the computer systems of the world’s largest manufacturer of cell phone SIM cards – giving government spies access to highly-guarded encryption codes and unparalleled abilities to monitor the global communications of those with phones using the cards.
Following its publication, journalist Glenn Greenwald called it “one of the biggest Snowden stories yet.”
According to fellow journalists Jeremy Scahill and Josh Begley, who did the reporting on the top-secret documents and detail the implications of the program, the target of the government hacking operation was a company called Gemalto, based in the Netherlands, which makes SIM cards for some of the best known makers of cell phones and other portable electronic products, including AT&T, T-Mobile, Sprint, and hundreds of other global brands. The acronym SIM stands for “subscriber identity module” and is a small intergrated circuit within a phone that is used to authenticate users and relay key information to the network on which the phone is operating.
As Scahill and Begley report:
With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
As part of the covert operations against Gemalto, spies from GCHQ — with support from the NSA — mined the private communications of unwitting engineers and other company employees in multiple countries.
For its part, Gemalto told The Intercept it was totally unaware of the security breach or that the encryption keys to any of its cards had been compromised. In fact, after being reached for comment on the operation, Gemalto directed its own security team to investigate the situation, but told the journalists they could find no trace of the hack. However, according to the top-secret document detailing the program leaked by Snowden, an operative with the NSA boasted, “[We] believe we have their entire network.”
Technology experts who spoke with Scahill and Begley said the theft of the encryption keys was highly troubling. Christopher Soghoian, the principal technologist for the American Civil Liberties Union, said the idea that the NSA has stolen these encryption keys “will send a shock wave through the security community.”
Told about the program, Gerard Schouw, a member of the Dutch Parliament, said the revelation was “unbelievable.” And repeated: “Unbelievable.”
According to The Intercept:
Last November, the Dutch government amended its constitution to include explicit protection for the privacy of digital communications, including those made on mobile devices. “We have, in the Netherlands, a law on the [activities] of secret services. And hacking is not allowed,” he said. Under Dutch law, the interior minister would have to sign off on such operations by foreign governments’ intelligence agencies. “I don’t believe that he has given his permission for these kind of actions.”
The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”
via Common Dreams