A subscriber identity module or subscriber identification module (SIM) is an integrated circuit that securely stores our international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephony devices.
Privacy of mobile communication, whether voice, text or internet access, depends on encrypted connection between the cellphone and the wireless carrier’s network, using keys stored on the SIM card inserted in the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. Our phone SIM card stores (for example) our own phone number, and our contacts, text messages, and other important data.
According to documents provided to The Intercept by NSA whistleblower Edward Snowden, both American and British spies hacked into the internal network of the world’s largest manufacturer of SIM cards, Gemalto, and stole encryption keys that protect the privacy of worldwide cellphone communications. Gemalto’s SIMs are used to help secure the communications of billions of customers’ phones around the world on AT&T, T-Mobile, Verizon, Sprint and more than 400 other wireless carriers in 85 countries. One of its global headquarters (it has three) is in Austin, Texas, and it has a large factory in Pennsylvania. There is a very good chance that the SIM card in your cell phone was manufactured by Gemalto.
The Intercept describes the hack:
With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
After The Intercept contacted the company, Gemalto’s internal security team began to investigate how their system was penetrated, but weren’t able to find evidence of the hacks. When The Intercept asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Paul Beverly, a Gemalto executive vice president said that to the best of his knowledge, they had not.
This week Gemalto confirmed that it was the target of attacks in 2010 and 2011, likely perpetrated by the NSA and GCHQ, but the company insists that the hackers didn’t get inside the network where cryptographic keys are stored that protect mobile communications.
Wired reported that Gemalto came to this conclusion after just a week-long investigation following a news report that the NSA and GCHQ had hacked into the firm’s network in 2011. Gemalto wrote in a press release on Wednesday,
The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened.
But the company said,
The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.
Many information security professionals ridiculed Gemalto for making this claim after such a short investigation, particularly since the NSA has been known to deploy malware and use other techniques that can completely erase signs of an intrusion after the fact, to thwart forensic discovery of a breach. French developer and security researcher Matt Suiche wrote on Twitter, “Very impressive, Gemalto had no idea of any attacks in 2010, one week ago. Now they know exactly what happened.”
The Intercept article concludes,
The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”
Edward Snowden criticized the agencies for the hack in an Ask Me Anything session for Reddit on Monday. “When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim),” Snowden wrote, “they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.”
Image by Georgy90, via Wikimedia Commons