NSA, GCHQ reportedly stole mobile network encryption keys

Private information protected by the little SIM card in your handset might not be so private after all. Based on new documentation from former NSA-employee-turned-whistleblower, Edward Snowden, The Intercept is reporting on a state-sponsored theft of encryption keys from Gemalto; a company that makes 2 billion SIM cards annually.

encryption theft

According to The Intercept’s report, the U.K.’s GCHQ, working with the U.S. National Security Administration, was behind the hack on Gemalto, providing government agencies with the information by infiltrating the company.

What exactly does that mean to individuals and their privacy? Quite a bit, The Intercept said:

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

Snowden’s documentation suggests for the first time the formation of a Mobile Handset Exploitation Team (MHET), with the purpose of seeking ways to gain access to handsets and cellular communications. This would allow the agencies to decrypt cellular communications with the knowledge of either private citizens or the cellular network providers, and without requiring a court order.

gemalto-slide-540x404

In short, such a situation removes the potential for any semblance of privacy for individuals using default smartphone services.

Any data, including contacts or saved messages, stored on a SIM card could be at risk for harvesting; but that’s just the tip of the iceberg. Mobile phone communications could be harvested in bulk and later decrypted by the agencies, so it’s not just a “real-time” communications problem.

Essentially, then, with these encryption keys compromised, I don’t see how carriers can effectively guarantee privacy on their networks, depending on how widespread the theft really is.

And that points to the core of the problem: With clandestine acts such as this, do we even know if we have all of the information on the agency’s activities? It’s unlikely, at best and extremely concerning.

In light of the report, Gemalto has provided the following email statement to Gigaom:

“In the digital world we all live in, Gemalto is especially vigilant against malicious hackers and of course has detected, logged and mitigated many types of attempts over the years, and at present can make no link between any of those past attempts and what was reported by The//INTERCEPT.  We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated technique to try to obtain SIM card data. From what we gathered at this moment, the target was not Gemalto, per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible.  There have been many reported state sponsored attacks as of late, that all have gained attention both in the media and amongst businesses, this truly emphasizes how serious cyber security is in this day and age.”

This post was updated at 1:16pm with Gemalto’s statement.

To secure your data you have to secure the device

Connecting devices to the internet, or to each other carriers significant security risks. While it may not be a core feature of a consumer product, how we tackle security is going to affect how the internet of things develops.

Isis selects Gemalto to manage mobile payments for NFC wallet

Isis, the near field communication mobile wallet venture from Verizon, AT&T and T-Mobile, took another step forward with the announcement that it has selected SIM card maker and digital security specialist Gemalto as its trusted service manager for its mobile wallet.

The SIM cards they are a shrinkin’. Introducing the nano-SIM

SIM cards, those tiny slivers of silicon that carry your identity inside a cell phone or connected device, are once again poised to get smaller as Giesecke & Devrient introduces the nano-SIM. If adopted, they could mean thinner devices or more room for larger batteries.

Facebook for SIM uses SMS; no data plan required

Hundreds of millions of handset owners worldwide without data plans have a new way to access Facebook while mobile thanks to Gemalto. The Amsterdam-based company has a SIM card that uses SMS to provide Facebook access for Personal Argentina’s 17.4 million customers; no data plan required.

Should Apple buy a carrier, or just go around them?

When it comes to the iPhone, the main element that is still out of Apple’s control is the carriers. Jean-Louis Gassee proposed Apple solve this problem by just scooping up a carrier. But patent filings indicate Apple has other plans.

At MWC App Makers Help You Bypass Pricey Data Plans

The mobile app boom is still largely a smartphone phenomenon, requiring more expensive hardware and often pricier data plans. But we’re now seeing more examples of apps that avoid the need for better hardware and data plans, bringing the love to a wider array of users.

Is the Gemalto SIM Actually for a Dual-Mode iPhone 5?

The Verizon iPhone 4 got the tear-down treatment today, revealing a Qualcomm Gobi chip that is both GSM and CDMA compatible. The Verizon iPhone can’t do true dual-mode because it lacks a SIM slot, but might the iPhone 5 get around this with a built-in solution?