A new report by The Intercept details a stunning heist made by US and UK spies that has given intelligence agencies the ability to break through the privacy of smartphone communications. The report claims that the NSA and GCHQ successfully hacked the network of Gemalto, a major manufacturer of SIM cards, and obtained the secret keys that unlock phone data. In short, it's a massive security breach that means your phone could be vulnerable to the whims of the world's most powerful spy agencies.
We still don't know how many people may be affected, but it's safe to say that the number could be significant; all four major US carriers are customers of Gemalto, and The Intercept reports that the company produces around 2 billion SIM cards each year. We have asked the big carriers — AT&T, Verizon, T-Mobile, and Sprint — to comment on the story. Gemalto says it can not verify the findings, and had no prior knowledge that the agencies were conducting the operation. It is currently investigating the claims.
The breach is disastrous for mobile security
The breach is disastrous for mobile security, which has historically already been on shaky ground. "Gaining access to a database of keys is pretty much game over for cellular encryption," cryptography specialist Matthew Green told The Intercept.
Today's report potentially fills some gaps in what we know about how the NSA collects data over the internet. The agency has two main sources of data: "downstream" collection, which involves explicit requests to technology companies for user data, and "upstream" collection, which pulls data directly from the cables and airwaves that facilitate the internet. The NSA is sophisticated in both methods, but one big outstanding question has been just how effective the agency's upstream collection is. It's simply too expensive to decrypt massive amounts of data with brute force — but it's a different story if you possess the encryption keys for, say, a secure email client. Or billions of mobile SIM cards.
"GCHQ cyberstalked Gemalto employees"
So how did spies get their hands on the goods? As The Intercept describes it, it was a real caper. The report describes how GCHQ spies targeted individual employees in major telecom corporations and SIM card manufacturers, accessing their email and Facebook accounts. "In effect, GCHQ clandestinely cyberstalked Gemalto employees," The Intercept writes — scooping up whatever breadcrumbs they could find that would lead them back to Gemalto's systems. In one instance, the report claims, the GCHQ suspiciously targeted a Gemalto employee in Thailand because he was using PGP to encrypt data. But it also appears that some of the companies involved in SIM production didn't take strong measures to protect sensitive data; the report says that "many" SIM card manufacturers sent keys with weak or no encryption.
The attempt to break into a major corporation to steal private encryption keys that protect millions of people around the world is certainly brazen, but it's not surprising behavior. Part of what we've learned in the past two years is that the NSA and its allies go to great lengths to collect data, to break or interfere with security on the internet, and to embarrass their adversaries.
The SIM heist is the latest revelation to come from the efforts of Edward Snowden. Snowden, a former NSA contractor, started a worldwide conversation about boundless government surveillance when he leaked a trove of top secret files to journalists in 2013. The first of the stories that resulted from the leak came on June 5th, 2013, when The Guardian reported that the NSA had been collecting the phone records of millions of Verizon customers on a daily basis. Since then, the public has learned about dozens of surveillance programs and secret plots that critics say have undermined the security and privacy of the internet for everyone who uses it.
Update Feb 20th, 10:16 am: Article updated with statement from Gemalto.