Online news publication The Intercept reported on Thursday that American and British spies hacked into the internal network of security firm Gemalto and stole encryption keys used to protect the privacy of cellular communications around the world.
The Intercept is not merely speculating. The online magazine said it has top-secret documents Edward Snowden, the infamous National Security Agency (NSA) whistleblower, handed its staff. If it’s true, this could mean an end to cellular privacy -- at least unless the SIM cards are replaced.
“With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,” according to The Intercept. “Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.”
Gemalto responded to the report that a joint unit of operatives from the British GCHQ (Government Communications Headquarters) and the NSA hacked the SIM card encryption keys it engraved. Gemalto stressed that it was not the target, per se. The company said it was an attempt to cast the widest net possible, to reach as many mobile phones as possible, to monitor mobile communications without the consent of mobile network operators and users.
“We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” the company said in a statement. “Gemalto, the world leader in digital security, is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday.”
Gemalto assured customers it is taking The Intercept report “very seriously” and vowed to devote the necessary resources to fully investigate and understand the scope of these types of sophisticated techniques.
“There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasizes how serious cyber security is in this day and age,” the firm concluded.
Three Potential Outcomes
We caught up with Craig Young, security researcher at advanced threat protection firm Tripwire, to get his thoughts on the potential fiasco. He told us knowledge of security keys used in SIM cards can have wide reaching consequences.
“SIM cards are like little computers with the ability to run applications at a lower level than the phone’s operating system, like Android or iOS,” Young said. “After a SIM manufacturer is hacked, there are three potential outcomes for the stolen information."
The first outcome is that the information can be used to decrypt protected phone communication. Young said it could also be used to deploy malicious Java applets to targeted SIM cards through special SMS messages or signals from fake cell towers. “Third, it opens up new techniques for sophisticated man-in-the-middle attacks against cellular data connections authenticated by the compromised SIM cards," he said.