Smartphone SIM Cards Hacked By US, UK Spies

British and US intelligence agencies stole encryption keys in order to bypass smartphone security measures. To call this a disaster for mobile security would be a gross understatement.
9 Most Tech-Savvy Presidents
9 Most Tech-Savvy Presidents
(Click image for larger view and slideshow.)

The US National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) broke into the computer systems of Gemalto, a maker of SIM cards, to make tracking people via their smartphones much easier.

The revelation comes from documents shared by Edward Snowden and published by The Intercept. The 2010 hack made it possible for the US and British governments to spy on smartphones in complete secrecy.

To call this a disaster for mobile security would be a gross understatement. Any information on any smartphone in use in your organization right now -- whether corporate or employee owned -- could potentially be subject to this invasion. Let that sink in for just a moment.

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Nearly all cell phones sold worldwide rely on a SIM card, or subscriber identity module, to identify customers and authenticate their phone's access to mobile networks. SIM cards have some encryption on board to prevent people from defrauding the network operators. (Remember when it was easy to clone cell phones?) SIM cards store customer information, text messages, and contact data. They are an essential link in tying people to devices and wireless service. The Intercept says SIM cards were never intended to protect users against government hacking.

2 Billion SIM Cards Per Year

Gemalto is the world's largest maker of SIM cards. It ships about 2 billion SIM cards annually to AT&T, Sprint, T-Mobile, Verizon Wireless, and 450 other wireless network operators. The company is based in The Netherlands, but operates in 85 countries, including the US. One of its three headquarters is in Texas, and one of its 40 manufacturing facilities is in Pennsylvania. The NSA and GCHQ hacked Gemalto's computer system to gain access to the encryption keys for its SIM cards.

Each SIM card is burned with an encryption key -- called a Ki -- at the time of manufacture. Gemalto provides the SIM cards, along with a copy of the keys, to wireless network operators. The SIM cards are shipped in bulk, but the encryption keys can be sent via regular mail, email, or FTP, according to The Intercept. This is the weak link exploited by the NSA and GCHQ.

The agencies monitored Gemalto employees to find a way in. They clandestinely spied on those employees and sniffed through their emails in order to identify key players within Gemalto who could be used to get the encryption keys. The agencies eventually gained access to Gemalto's core network and were able to steal encryption keys en masse.

With the keys in hand, the NSA and GCHQ had unfettered access to citizens' mobile telecommunications. The agencies didn't have to get warrants and were able to spy, leaving no evidence on the handset or network in question. Moreover, the keys allowed the agencies to decrypt encrypted communications they'd previously collected but hadn't been able to break.

Gemalto said it had no idea what was going on. When reached for comment, Gemalto executive vice president Paul Beverly said, "I'm disturbed, quite concerned that this has happened. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again, and also to make sure that there's no impact on the telecom operators that we have served in a very trusted manner for many years."

The company promised to investigate in order to discover how the NSA and GCHQ broke in and the extent of the theft.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing