Snowden files reveal US, British hacking into company's SIM cards
PUBLISHED : Saturday, 21 February, 2015, 2:11pm
UPDATED : Saturday, 21 February, 2015, 2:11pm
AFP and AP in London and Washington
US and British agencies “hacked into” European manufacturer Gemalto to gain encryption keys. Photo: AP
It would be another powerful tool in the arsenal of US and British spy services: encryption keys for a large share of the SIM cards used for mobile phones.
A report by the investigative news website The Intercept, citing leaked documents from former National Security Agency contractor Edward Snowden, said the US and British agencies “hacked into” European manufacturer Gemalto to gain these keys.
The report, if accurate, could allow the NSA and its British counterpart GCHQ to secretly monitor a large portion of global communications over mobile devices without using a warrant or wiretap.
In an email to The Associated Press on Friday, GCHQ said it does not comment on intelligence matters. However, it said all of its work was legal and its “interception regime” fully complies with the European Convention on Human Rights.
“This is a huge deal,” said Bruce Schneier, a cryptographer who is chief technology officer at the security firm Resilient Systems, and a fellow at Harvard’s Berkman Centre.
“The things that are the most egregious are when the NSA hacks everybody to get a few people,” Schneier told AFP.
“They’re getting encryption keys of everybody, including you and me. It’s a scorched earth policy.”
The report suggests the intelligence services could have access to a wider range of communications than has been previously reported. Other documents have indicated that the NSA can monitor email and traditional phone communications.
Schneier said the report is credible and probably indicates other SIM card makers were hacked as well.
“Do we think this is the only company? Odds are low,” he said.
David Perry, threat strategist at the security firm F-Secure, called the revelations “the biggest story on mobile privacy we’ve seen so far”.
The report is troubling, Perry said, because of the methods described.
“Intelligence services are hacking all the time,” he said. “What concerns me is that they would go into a factory and spoil the security at the point of origination.”
The NSA did not immediately respond to requests for comment.
Gemalto said in a statement that it takes the matter “very seriously and will devote all resources necessary to fully investigate” the allegations.
It added that the intended target was “not Gemalto, per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible.”
Yet the report leaves many questions unanswered, and some experts were cautious about jumping to conclusions about the documents.
“One of the reasons I’m sceptical is that different governments have been using other methods to grab communications and wireless data which are unsecured to begin with,” said Darren Hayes, director of cybersecurity at Pace University’s School of Computer Science and Information Systems.
“I’m not sure that the US or UK governments would use hackers in the same way that the Chinese or Russians are doing.”
Schneier said more information is needed to know exactly what the encryption keys would provide, but says it is likely that they would allow access to the phone communications rather than the data transfer, so SMS or voice messages might be accessed but not Skype or other Internet-based services.
“I think the company should do what Sony did [after being hacked] - hire a forensics team,” Schneier said.
“We need details on how this was done and what can be done to remedy it.”
Greg Nojeim, a lawyer for the Centre for Democracy & Technology, a digital rights organisation, said the revelation suggests privacy of people around the world is at risk.
“Almost everyone in the world carries mobile phones and this is an unprecedented mass attack on the privacy of citizens worldwide,” Nojeim said.
“While there is certainly value in targeted surveillance of mobile phone communications, this coordinated subversion of the trusted technical security infrastructure of mobile phones means the US and British governments now have easy access to our mobile communications.”
John Pirc, co-founder of the Virginia-based security firm Bricata, said the report is “plausible” and, if true, could undermine confidence in mobile communications.
“If someone had access to the SIM card and put malware on it, that means anyone can get in,” Pirc said.
He added that the revelations could end up hurting manufacturers or carriers if they fail to take steps to correct any security weaknesses.
“If this turns out to be true, every consumer should ask for a new SIM card,” Pirc said.
Rights organisations on Friday called for urgent steps to be taken to protect private calls and online communications after the allegations.
The World Wide Web Foundation, founded by Web inventor Tim Berners-Lee, said the alleged hacking by the National Security Agency and its British counterpart, GCHQ, was “another worrying sign that these agencies think they are above the law”.
Privacy International, which recently won an unprecedented court victory against GCHQ in the wake of the Snowden revelations, said that the electronic eavesdropping agency had lost its way.
“In stealing the SIM card encryption keys of millions of mobile phone users they have shown there are few lines they aren’t willing to cross,” Privacy International Deputy Director Eric King said in a statement.
“Hacking into law-abiding companies, spying on their employees and stealing their data should never be considered ‘fair game,”‘ he added. “Their actions have undermined the security of us all.”
Yet hacking into law-abiding companies, and inducing foreigners to commit treason by spilling secrets, are standard practices of spy agencies throughout the world. The US and Britain happen to be more proficient than most. There is no international treaty laying out the rules of espionage, cyber or otherwise.
The NSA hacks into companies in friendly nations for all sorts of reasons, say former intelligence officials who declined to be quoted discussing classified operations. The CIA, and its Russian, Chinese, French and British counterparts, pay foreigners to supply information in violation of the laws of their countries.
One question being raised by some of the Snowden leaks is whether the public in the US and Europe are willing to reign in their digital spying services if it means rendering them less effective. Another question is whether the benefits of a particular surveillance method are worth the fallout in the event it is disclosed.
In Germany, opposition lawmakers have called for a parliamentary hearing on the reported hacking. An aide to Green Party lawmaker Konstantin von Notz said the hearing would likely take place Wednesday and could call on witnesses from Germany’s domestic and foreign intelligence agencies to testify.
Germany is the only country that has launched a parliamentary inquiry into the activities of the NSA and GCHQ in the wake of the Snowden revelations.
