[cryptography] OT: THE GREAT SIM HEIST

Jeffrey Walton noloader at gmail.com
Thu Feb 19 15:50:36 EST 2015


AMERICAN AND BRITISH spies hacked into the internal computer network
of the largest manufacturer of SIM cards in the world, stealing
encryption keys used to protect the privacy of cellphone
communications across the globe, according to top-secret documents
provided to The Intercept by National Security Agency whistleblower
Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from
the NSA and its British counterpart Government Communications
Headquarters, or GCHQ. The breach, detailed in a secret 2010
GCHQdocument, gave the surveillance agencies the potential to secretly
monitor a large portion of the world’s cellular communications,
including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a
multinational firm incorporated in the Netherlands that makes the
chips used in mobile phones and next-generation credit cards. Among
its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless
network providers around the world. The company operates in 85
countries and has more than 40 manufacturing facilities. One of its
three global headquarters is in Austin, Texas and it has a large
factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is
“Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor
mobile communications without seeking or receiving approval from
telecom companies and foreign governments. Possessing the keys also
sidesteps the need to get a warrant or a wiretap, while leaving no
trace on the wireless provider’s network that the communications were
intercepted. Bulk key theft additionally enables the intelligence
agencies to unlock any previously encrypted communications they had
already intercepted, but did not yet have the ability to decrypt.

As part of the covert operations against Gemalto, spies from GCHQ —
with support from the NSA — mined the private communications of
unwitting engineers and other company employees in multiple countries.

Gemalto was totally oblivious to the penetration of its systems — and
the spying on its employees. “I’m disturbed, quite concerned that this
has happened,” Paul Beverly, a Gemalto executive vice president, told
The Intercept. “The most important thing for me is to understand
exactly how this was done, so we can take every measure to ensure that
it doesn’t happen again, and also to make sure that there’s no impact
on the telecom operators that we have served in a very trusted manner
for many years. What I want to understand is what sort of
ramifications it has, or could have, on any of our customers.” He
added that “the most important thing for us now is to understand the
degree” of the breach.

Leading privacy advocates and security experts say that the theft of
encryption keys from major wireless network providers is tantamount to
a thief obtaining the master ring of a building superintendent who
holds the keys to every apartment. “Once you have the keys, decrypting
traffic is trivial,” says Christopher Soghoian, the principal
technologist for the American Civil Liberties Union. “The news of this
key theft will send a shock wave through the security community.”

More information about the cryptography mailing list