SIM card makers hacked by NSA and GCHQ leaving cell networks wide open

The NSA could be able to listen in on your lols.

Christian Rivera

In a new report on some of the confidential documents leaked by former NSA contractor Edward Snowden, The Intercept wrote that operatives from both the National Security Administration (NSA) and the British Government Communications Headquarters (GCHQ) joined forces in April 2010 to crack mobile phone encryption. The Mobile Handset Exploitation Team (MHET) succeeded in stealing untold numbers of encryption keys from SIM card makers and mobile networks, specifically Dutch SIM card maker Gemalto, one ofthe largest SIM manufacturers in the world. Gemalto produces 2 billion SIM cards a year, which are used all over the world.

Although the SIM card in a cell phone was originally usedto verify billing to mobile phone users, today a SIM also stores the encryption keys that protect a user's voice, text, and data-based communications and make them difficult for spies to listen in on. The mobile carrier holds the corresponding key that allows the phone to connect to the mobile carrier's network. Each SIM card is manufactured with an encryption key (called a Ki) that is physically burned into the chip. When you go to use the phone, it conducts a secret 'handshake' that validates that the Ki on the SIM matches the Ki held by the mobile company, The Intercept explains. Once that happens, the communications between the phone and the network are encrypted.

To steal the SIM encryption keys, MHET exploited a weakness in SIM manufacturers' business routinethat SIM card manufacturers tend to deliver the corresponding Kis to mobile carriers via e-mail or File Transfer Protocol. By doing basic cyberstalking of Gemalto employees, the NSA and GCHQ were able to pilfer millions of SIM Kis, which have a slow turnover rate (your phone's Ki will likely remain the same as long as you keep the SIM in the phone) and can be used to decrypt data that has been stored for months or even years.

Gemalto not only makes SIM cards, but it also makes chips that are placed into EMV credit cards as well as the chips built into next-generation United States passports. Paul Beverly, a Gemalto executive vice president, told The Intercept that the company's security team began an audit on Wednesday and could find no evidence of the hacks. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesnt happen again, and also to make sure that theres no impact on the telecom operators that we have served in a very trusted manner for many years, Beverly said. Gemalto's clients include hundreds of wireless networks around the world, including all four major carriers in the US.

According to the documents procured by The Intercept, MHET was able to use the NSA's XKeyscore to mine the e-mail accounts and Facebook profiles of engineers at major telecom companies and SIM card manufacturing companies, looking for clues that would get them into the SIM Ki trove. (XKeyscore is a program designed by the NSA to reassemble and analyse the data packets it finds traveling over a network. XKeyscore is powerful enough to be able to pull up the full content of users' Web browser sessions, and it can even generate a full replay of a network session between two Internet addresses, as Ars reported in 2013.) Eventually, MHET learned enough to be able to plant malware on several of Gemalto's internal servers.

In the course of trying to break into Gemalto's internal network, the NSA and GCHQ looked for employees using encryption as preferred targets. The spy agencies also expanded their surveillance to include mobile phone companies and networks, as well as other SIM manufacturers. The Intercept explained:

In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations, he would certainly be a good place to start. They did not claim to have decrypted the employees communications, but noted that the use of PGP could mean the contents were potentially valuable.

View original post here:
SIM card makers hacked by NSA and GCHQ leaving cell networks wide open