US and UK spies hacked SIM card manufacturer to steal codes that allowed them to eavesdrop on mobile phones worldwide, according to bombshell documents leaked by Ed Snowden
- America’s NSA allegedly worked with British intelligence agency GCHQ
- The agencies stole encryption keys to hack into mobile communications
- The hacks took place between 2010 and 2011 – with 300,000 keys stolen
- Company being targeted was Gemalto who produce billions of SIM cards
- NSA whistleblower Ed Snowden gave leaked documents to The Intercept
- GCHQ planted ‘malicious software’ on Gemalto’s computers, files reveal
British and American spies reportedly stole confidential codes from Dutch SIM card manufacturer to eavesdrop on mobile phones around the world, an intelligence leak has revealed.
NSA whistleblower Edward Snowden gave leaked files to The Intercept detailing how the American agency and its British counterparts GCHQ stole encryption keys that keep mobile communications private.
The company targeted was Gemalto who produce billions of electronic chips for mobile phones and next generation credit cards.
It operates in 85 countries and its SIM cards cover more than 1.5 billion mobile users globally for clients such as AT&T, T-Mobile, Verizon and Sprint. In Australia this includes Telstra, Optus and Vodafone.
The hacks are thought to have taken place in 2010 and 2011 and led to the theft of 300,000 keys from Somalia, Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan.
With these encryption keys, the intelligence agencies would have the ability to collect both voice and data information – such as text messages – from a large portion of the world’s communications. The keys are used to decipher the communications between mobile phones and their network providers which would otherwise be received as a ‘garbled mess’. Stealing them also sidesteps the need to get permission from telecom companies or a warrant for a wire-tap – and it leaves no trace on the wireless provider’s network that communications have been hacked into.
The Intercept claims GCHQ planted malicious software on several of Gemalto’s computers to gain access to its internal network in order to obtain these keys. It also received slides from GCHQ in which the author boasted: ‘Successfully implanted several machines and believe we have their entire network.’
HACKING A PHONE’S ‘SECRET HANDSHAKE’
The encrypted connection between a mobile device and its wireless network is what keeps the communications private. And all mobile communications on a phone depend on the SIM card which guards this encryption key. In some countries, the electronic chips are even used to transfer money safely. An encryption key known as a ‘Ki’ is burned onto them when they are manufactured and a copy of this key is also given to the mobile provider, which is how they recognise a phone on its network.
When a mobile connects to its wireless provider – and the Ki’s match up – it creates a ‘secret handshake’ which is encrypted.
Even if GCHQ intercepted the phone call, it would be interpreted as a garbled mess. But by stealing the encryption keys, it can decrypt this information and essentially listen into the phone calls and intercept text messages.
A document from the NSA revealed the US agency could process between 12 and 22 million keys by 2009, which could later be used to spy on targets. It predicted that more than 50 million keys could be accessed every second in the future.
The GCHQ’s operation to target Gemalto was called ‘Dapino Gamma’ and in 2011, it launched an attempt to harvest the email accounts of Gemalto employees in France and Poland.
A top-secret document said one of the aims of the operation was ‘getting into French HQ’ of Gemalto – one of its global headquarters – ‘to get into core data repositories’. It also wanted to intercept the private communications of employees in Poland which ‘could lead to penetration into one or more’ of the factories where the encryption keys were burned onto the SIM cards.
Another GCHQ document from May 2011 indicated it was in the process of ‘targeting’ more than a dozen Gemalto facilities across the globe including in Germany, Mexico, Australia, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore.
The file also suggested GCHQ was preparing similar key theft operations against one of Gemalto’s competitors – German SIM card giants Giesecke and Devrient.
It also penetrated ‘authentication servers’ which allow it to decrypt data and voice communications between a target’s mobile phone and the connection it makes with its network provider. An accompanying slide read: ‘Very happy with the data so far and working through the vast quantity of product.’
As part of the covert operations against Gemalto, spies from GCHQ who were supported by the NSA mined the private communications of unwitting engineers and other company employees in multiple countries. Gemalto was unaware of the hack and the spying on its employees according to its executive vice president Paul Beverly.
GEMALTO: ‘SECURITY TO BE FREE’
The company which brought in £1.7billion in revenue in 2013 – and provides SIM cards for billions of people – is a global leader in digital security, producing banking cards, mobile payment systems, two-factor authentication devices used for online security, hardware tokens used for securing buildings and offices, electronic passports and identification cards.
The Dutch multi-national, whose motto is ‘security to be free’ provides chips to Vodafone in Europe, France’s Orange and EE in the UK. Royal KPN, the largest Dutch wireless network provider, also uses Gemalto technology. In Asia, Gemalto’s chips are used by China Unicom, Japan’s NTT and Taiwan’s Chungwa Telecom, as well as scores of wireless network providers throughout Africa and the Middle East.
The company’s security technology is used by more than 3,000 financial institutions and 80 government organizations.
Among its clients are Visa, Mastercard, American Express, JP Morgan Chase and Barclays. It also provides chips for use in luxury cars, including those made by Audi and BMW.
He told The Intercept: ‘I’m disturbed, quite concerned that this has happened.
‘The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. ‘What I want to understand is what sort of ramifications it has, or could have, on any of our customers.’
A spokesperson from GCHQ said it does not comment on intelligence matters, but added: ‘All of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the parliamentary Intelligence and Security Committee. ‘All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European Convention on Human Rights.’
A spokeswoman for Gemalto said the manufacturer has so far ‘made no links’ between previous hacking attempts it was already aware of and the new reports. She said: ‘We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated technique to try to obtain SIM card data. ‘There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasises how serious cyber security is in this day and age.’
Pingback: The Background to the Great SIM Heist | Words, By George!