Smartphone SIM Cards Hacked By US, UK Spies - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:06 AM

Smartphone SIM Cards Hacked By US, UK Spies

British and US intelligence agencies stole encryption keys in order to bypass smartphone security measures. To call this a disaster for mobile security would be a gross understatement.

9 Most Tech-Savvy Presidents
9 Most Tech-Savvy Presidents
(Click image for larger view and slideshow.)

The US National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) broke into the computer systems of Gemalto, a maker of SIM cards, to make tracking people via their smartphones much easier.

The revelation comes from documents shared by Edward Snowden and published by The Intercept. The 2010 hack made it possible for the US and British governments to spy on smartphones in complete secrecy.

To call this a disaster for mobile security would be a gross understatement. Any information on any smartphone in use in your organization right now -- whether corporate or employee owned -- could potentially be subject to this invasion. Let that sink in for just a moment.

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Nearly all cell phones sold worldwide rely on a SIM card, or subscriber identity module, to identify customers and authenticate their phone's access to mobile networks. SIM cards have some encryption on board to prevent people from defrauding the network operators. (Remember when it was easy to clone cell phones?) SIM cards store customer information, text messages, and contact data. They are an essential link in tying people to devices and wireless service. The Intercept says SIM cards were never intended to protect users against government hacking.

2 Billion SIM Cards Per Year

Gemalto is the world's largest maker of SIM cards. It ships about 2 billion SIM cards annually to AT&T, Sprint, T-Mobile, Verizon Wireless, and 450 other wireless network operators. The company is based in The Netherlands, but operates in 85 countries, including the US. One of its three headquarters is in Texas, and one of its 40 manufacturing facilities is in Pennsylvania. The NSA and GCHQ hacked Gemalto's computer system to gain access to the encryption keys for its SIM cards.

Each SIM card is burned with an encryption key -- called a Ki -- at the time of manufacture. Gemalto provides the SIM cards, along with a copy of the keys, to wireless network operators. The SIM cards are shipped in bulk, but the encryption keys can be sent via regular mail, email, or FTP, according to The Intercept. This is the weak link exploited by the NSA and GCHQ.

(Image: Ryan McGuire via Pixabay)

(Image: Ryan McGuire via Pixabay)

The agencies monitored Gemalto employees to find a way in. They clandestinely spied on those employees and sniffed through their emails in order to identify key players within Gemalto who could be used to get the encryption keys. The agencies eventually gained access to Gemalto's core network and were able to steal encryption keys en masse.

With the keys in hand, the NSA and GCHQ had unfettered access to citizens' mobile telecommunications. The agencies didn't have to get warrants and were able to spy, leaving no evidence on the handset or network in question. Moreover, the keys allowed the agencies to decrypt encrypted communications they'd previously collected but hadn't been able to break.

Gemalto said it had no idea what was going on. When reached for comment, Gemalto executive vice president Paul Beverly said, "I'm disturbed, quite concerned that this has happened. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again, and also to make sure that there's no impact on the telecom operators that we have served in a very trusted manner for many years."

The company promised to investigate in order to discover how the NSA and GCHQ broke in and the extent of the theft.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
2/21/2015 | 12:54:20 PM
Not the only ones
This cannot be much of a surprise. And if the US and UK have broken in, you can be sure the Russian, Chinese and Israeli security agencies have done so as well. Anything electronic can be hacked. And with people carrying their lives around on their smartphones, they are open to snooping. If that bothers people, go low tech or no tech but hacking and spying will always be there.
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll