Smartphone SIM Cards Hacked By US, UK Spies - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
2/21/2015
10:06 AM
100%
0%

Smartphone SIM Cards Hacked By US, UK Spies

British and US intelligence agencies stole encryption keys in order to bypass smartphone security measures. To call this a disaster for mobile security would be a gross understatement.

9 Most Tech-Savvy Presidents
9 Most Tech-Savvy Presidents
(Click image for larger view and slideshow.)

The US National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) broke into the computer systems of Gemalto, a maker of SIM cards, to make tracking people via their smartphones much easier.

The revelation comes from documents shared by Edward Snowden and published by The Intercept. The 2010 hack made it possible for the US and British governments to spy on smartphones in complete secrecy.

To call this a disaster for mobile security would be a gross understatement. Any information on any smartphone in use in your organization right now -- whether corporate or employee owned -- could potentially be subject to this invasion. Let that sink in for just a moment.

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Nearly all cell phones sold worldwide rely on a SIM card, or subscriber identity module, to identify customers and authenticate their phone's access to mobile networks. SIM cards have some encryption on board to prevent people from defrauding the network operators. (Remember when it was easy to clone cell phones?) SIM cards store customer information, text messages, and contact data. They are an essential link in tying people to devices and wireless service. The Intercept says SIM cards were never intended to protect users against government hacking.

2 Billion SIM Cards Per Year

Gemalto is the world's largest maker of SIM cards. It ships about 2 billion SIM cards annually to AT&T, Sprint, T-Mobile, Verizon Wireless, and 450 other wireless network operators. The company is based in The Netherlands, but operates in 85 countries, including the US. One of its three headquarters is in Texas, and one of its 40 manufacturing facilities is in Pennsylvania. The NSA and GCHQ hacked Gemalto's computer system to gain access to the encryption keys for its SIM cards.

Each SIM card is burned with an encryption key -- called a Ki -- at the time of manufacture. Gemalto provides the SIM cards, along with a copy of the keys, to wireless network operators. The SIM cards are shipped in bulk, but the encryption keys can be sent via regular mail, email, or FTP, according to The Intercept. This is the weak link exploited by the NSA and GCHQ.

(Image: Ryan McGuire via Pixabay)

(Image: Ryan McGuire via Pixabay)

The agencies monitored Gemalto employees to find a way in. They clandestinely spied on those employees and sniffed through their emails in order to identify key players within Gemalto who could be used to get the encryption keys. The agencies eventually gained access to Gemalto's core network and were able to steal encryption keys en masse.

With the keys in hand, the NSA and GCHQ had unfettered access to citizens' mobile telecommunications. The agencies didn't have to get warrants and were able to spy, leaving no evidence on the handset or network in question. Moreover, the keys allowed the agencies to decrypt encrypted communications they'd previously collected but hadn't been able to break.

Gemalto said it had no idea what was going on. When reached for comment, Gemalto executive vice president Paul Beverly said, "I'm disturbed, quite concerned that this has happened. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again, and also to make sure that there's no impact on the telecom operators that we have served in a very trusted manner for many years."

The company promised to investigate in order to discover how the NSA and GCHQ broke in and the extent of the theft.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tjgkg
100%
0%
tjgkg,
User Rank: Ninja
2/21/2015 | 12:54:20 PM
Not the only ones
This cannot be much of a surprise. And if the US and UK have broken in, you can be sure the Russian, Chinese and Israeli security agencies have done so as well. Anything electronic can be hacked. And with people carrying their lives around on their smartphones, they are open to snooping. If that bothers people, go low tech or no tech but hacking and spying will always be there.
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Commentary
Enterprise Guide to Multi-Cloud Adoption
Cathleen Gagne, Managing Editor, InformationWeek,  9/27/2019
Commentary
5 Ways CIOs Can Better Compete to Recruit Top Tech Talent
Guest Commentary, Guest Commentary,  10/2/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll