Report: Spies Stole SIM Encryption KeysSnowden-Leaked Documents: SIM Card Maker Gemalto Hacked
A British-American intelligence team hacked into Gemalto, the world's largest maker of SIM cards, resulting in the theft of numerous encryption keys for the cards designed to ensure the security and privacy of cellular phone calls worldwide, according to a news report citing leaked documents.
A joint unit, involving employees of the U.S. National Security Agency and U.K. Government Communications Headquarters, executed the hack attacks between 2010 and 2011, investigatory news site The Intercept reports, citing GCHQ documents leaked by former NSA contractor Edward Snowden.
Gemalto, based in Amsterdam, manufactures about 2 billion SIM cards per year, which are used by 450 wireless network providers around the world, the report says. According to Gemalto, its customers include the three largest U.S. carriers: Verizon, AT&T and Sprint.
"Gemalto: Successfully implanted several machines and believe we have their entire network - TDSD are working the data," reads an alleged GCHQ document published by The Intercept. "Implant" apparently is short for "malware implants," which is an NSA/GCHQ term for a Trojan horse, while "TDSD" likely refers to an intelligence team.
Christopher Soghoian, the principal technologist for the American Civil Liberties Union, likens the theft of encryption keys for SIM cards to a thief stealing a lock's master key. "Once you have the keys, decrypting traffic is trivial," he tells The Intercept. "The news of this key theft will send a shock wave through the security community."
Gemalto responded to the report in a statement posted to its website, saying that the leaks show that the hack attacks were meant to give intelligence agencies the ability to more easily decrypt intercepted cellular communications for anyone those agencies might be targeting.
"The publication indicates the target was not Gemalto per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users' consent," Gemalto says. "We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation."
The SIM manufacturer says it launched a related digital forensics investigation on Feb. 18, after first learning of the attacks via The Intercept, again emphasizing that, to date, it has found no evidence of a related intrusion. "We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques," Gemalto says. "There have been many reported state-sponsored attacks as of late, that all have gained attention both in the media and amongst businesses; this truly emphasizes how serious cybersecurity is in this day and age."
Data Breach Notifications
Gemalto's decrying of the reported "state-sponsored attack" launched against it is a notable choice of words, given that the U.S. government used the same language to describe the hack of Sony Pictures Entertainment that it has attributed to "North Korea actors."
The hack attack could also trigger data breach notification requirements
Security expert Daragh O Brien says that per Ireland's privacy law, any telecommunications company that uses SIM cards from Gemalto must now notify their customers that they face a security risk. It's not yet clear if the report that the company's SIM cards may have been compromised might trigger any other EU or U.S. data breach notification requirements by any carriers who have distributed Gemalto SIM cards to their customers or subscribers.
Meanwhile, leading Dutch lawmakers have demanded to know whether the Dutch government knew - or approved - of the operation.
Codename: DAPINO GAMMA
The Gemalto hacking program, according to leaked documents, was codenamed DAPINO GAMMA, and involved using the NSA's alleged X-KEYSCORE program, which reportedly allows NSA agents to spy on individuals in real time. That's accomplished, in part, by using communications intercepted by PRISM, which is an NSA program for tapping into major Internet providers, including the online e-mail offered by Google, Microsoft and Yahoo.
Civil rights and privacy rights groups have reacted to the hacking report with alarm, noting that it would enable mass surveillance of cell phone calls, as well as allow intelligence agencies to practice the bulk collection of cell phone metadata, for example to see who talked to whom, and for how long. "GCHQ has lost its way. In stealing the SIM card encryption keys of millions of mobile phone users they have shown there are few lines they aren't willing to cross," Eric King, deputy director of British privacy rights organization Privacy International, tells Information Security Media Group, adding that the intelligence agency has lost sight of "the rule of law."
King says that a coalition of privacy rights groups has filed a lawsuit against GCHQ, in the wake of the U.K. Investigatory Powers Tribunal's Feb. 6 ruling that for seven years, GCHQ had illegally used information collected by the NSA. The groups now want GCHQ to disclose the identities of the people who were targeted for intelligence services spying.
GCHQ admitted that it had been acting illegally for a seven-year period, but says it now complies with U.K. intelligence laws.