Enterprise Mobility Management / BYOD , Fraud Management & Cybercrime , Governance & Risk Management

Report: Spies Stole SIM Encryption Keys

Snowden-Leaked Documents: SIM Card Maker Gemalto Hacked
Report: Spies Stole SIM Encryption Keys

A British-American intelligence team hacked into Gemalto, the world's largest maker of SIM cards, resulting in the theft of numerous encryption keys for the cards designed to ensure the security and privacy of cellular phone calls worldwide, according to a news report citing leaked documents.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

A joint unit, involving employees of the U.S. National Security Agency and U.K. Government Communications Headquarters, executed the hack attacks between 2010 and 2011, investigatory news site The Intercept reports, citing GCHQ documents leaked by former NSA contractor Edward Snowden.

Gemalto, based in Amsterdam, manufactures about 2 billion SIM cards per year, which are used by 450 wireless network providers around the world, the report says. According to Gemalto, its customers include the three largest U.S. carriers: Verizon, AT&T and Sprint.

"Gemalto: Successfully implanted several machines and believe we have their entire network - TDSD are working the data," reads an alleged GCHQ document published by The Intercept. "Implant" apparently is short for "malware implants," which is an NSA/GCHQ term for a Trojan horse, while "TDSD" likely refers to an intelligence team.

Christopher Soghoian, the principal technologist for the American Civil Liberties Union, likens the theft of encryption keys for SIM cards to a thief stealing a lock's master key. "Once you have the keys, decrypting traffic is trivial," he tells The Intercept. "The news of this key theft will send a shock wave through the security community."

Gemalto responded to the report in a statement posted to its website, saying that the leaks show that the hack attacks were meant to give intelligence agencies the ability to more easily decrypt intercepted cellular communications for anyone those agencies might be targeting.

"The publication indicates the target was not Gemalto per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users' consent," Gemalto says. "We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation."

The SIM manufacturer says it launched a related digital forensics investigation on Feb. 18, after first learning of the attacks via The Intercept, again emphasizing that, to date, it has found no evidence of a related intrusion. "We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques," Gemalto says. "There have been many reported state-sponsored attacks as of late, that all have gained attention both in the media and amongst businesses; this truly emphasizes how serious cybersecurity is in this day and age."

Data Breach Notifications

Gemalto's decrying of the reported "state-sponsored attack" launched against it is a notable choice of words, given that the U.S. government used the same language to describe the hack of Sony Pictures Entertainment that it has attributed to "North Korea actors."

The hack attack could also trigger data breach notification requirements

Security expert Daragh O Brien says that per Ireland's privacy law, any telecommunications company that uses SIM cards from Gemalto must now notify their customers that they face a security risk. It's not yet clear if the report that the company's SIM cards may have been compromised might trigger any other EU or U.S. data breach notification requirements by any carriers who have distributed Gemalto SIM cards to their customers or subscribers.

Meanwhile, leading Dutch lawmakers have demanded to know whether the Dutch government knew - or approved - of the operation.

Codename: DAPINO GAMMA

The Gemalto hacking program, according to leaked documents, was codenamed DAPINO GAMMA, and involved using the NSA's alleged X-KEYSCORE program, which reportedly allows NSA agents to spy on individuals in real time. That's accomplished, in part, by using communications intercepted by PRISM, which is an NSA program for tapping into major Internet providers, including the online e-mail offered by Google, Microsoft and Yahoo.

Civil rights and privacy rights groups have reacted to the hacking report with alarm, noting that it would enable mass surveillance of cell phone calls, as well as allow intelligence agencies to practice the bulk collection of cell phone metadata, for example to see who talked to whom, and for how long. "GCHQ has lost its way. In stealing the SIM card encryption keys of millions of mobile phone users they have shown there are few lines they aren't willing to cross," Eric King, deputy director of British privacy rights organization Privacy International, tells Information Security Media Group, adding that the intelligence agency has lost sight of "the rule of law."

King says that a coalition of privacy rights groups has filed a lawsuit against GCHQ, in the wake of the U.K. Investigatory Powers Tribunal's Feb. 6 ruling that for seven years, GCHQ had illegally used information collected by the NSA. The groups now want GCHQ to disclose the identities of the people who were targeted for intelligence services spying.

GCHQ admitted that it had been acting illegally for a seven-year period, but says it now complies with U.K. intelligence laws.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.