The US’s National Security Agency (NSA) and its British counterpart the Government Communications Headquarters (GCHQ) worked together to hack Gemalto, the world’s largest producer of the SIM cards used in mobile phones and credit cards. The Netherlands-based company works with AT&T, T-Mobile, Verizon, Sprint and 450 other providers around the world, producing two billion SIM cards per year.
Documents leaked to The Intercept by whistle-blower Edward Snowden contain information from the 2010 theft of three months of encryption data, during which NSA and GCHQ’s joint operation, titled the Mobile Handset Exploitation Team, collected millions of encryption codes.
The codes, called keys, allowed the intelligence agencies to intercept communications and decrypt information from cellular devices without detection. Intelligence agencies such as GCHQ and NSA often harvest vast quantities of digital information, but phones using 3G or 4G feature encryption, or concealment, of data. Formerly, it was believed that in decrypting that data intelligence agencies would leave a digital trace detectable by counter-intelligence operations.
The stolen keys allow virtually untraceable surveillance. An NSA document from 2009 says the organization was able to collect 12 to 22 million keys per second that year. Six years later, The Intercept says the possibilities are “staggering”.
To collect the keys, GCHQ and NSA staff began by hacking the emails and Facebook accounts of Gemalto employees to search for weaknesses. They targeted employees with close access to encryption keys, and exploited the information of individual employees to breach the Gemalto networks and steal the codes in bulk.
The encryption keys on SIM cards are particularly vulnerable because they never change – a single key can yield years’ worth of protected information. Websites such as Google and Twitter often use a more secure system that frequently changes the keys, called Perfect Forward Security (PFS).
Resolving the SIM-card vulnerabilities revealed by the leak would cost billions of dollars and several years’ work by mobile phone technologists, The Intercept reports.
The NSA and GCHQ have not responded to specific questions from The Intercept. GCHQ said that: “[The] UK’s interception regime is entirely compatible with the European Convention on Human Rights.” It is not immediately clear whether the agencies are still gathering data.
Gemalto’s largest market is the US, with 15 percent of its business taking place there. The US government gave Gemalto a US$ 175 million contract in 2012 to produce chips for electronic passports.
Following the revelation that the US had been spying on German Chancellor Angela Merkel in October 2013, President Obama said, “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures.”
The Intercept is a publication created to report on the information leaked by Snowden, a former NSA employee, and to “produce fearless, adversarial journalism”, according to its website.
The Intercept urged readers to take security matters into their own hands, and not “[assume] that the phone companies will provide us with a secure method of making calls or exchanging text messages”. They recommend the use of applications that secure and encrypt texts or phone calls, such as TextSecure, Silent Text and Redphone.