It hard to believe, but Edward Snowden is still releasing documents about what the US’ National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) got up to while nobody was looking.
According to the latest documents released by the whistleblower, in 2010 the agencies illegally hacked into security firm Gemalto’s servers. Gemalto is the largest manufacturer of SIM cards in the world, and it appears the state spooks made off with encryption keys to pretty much every SIM card that it has produced.
To put things in a little perspective, Gemalto makes about two billion SIM cards a year for use in mobile phones and internet connected devices like traffic lights and payment terminals. It’s also the firm behind the smart chip on the new South African ID card – although there’s no suggestion at this stage that any data relating to non-SIM applications like the ID card has been stolen.
According to The Intercept, the site run by the journalist synonymous with Snowden leaks – Glenn Greenwald – having the encryption keys to so many SIM cards, it means that the NSA and GCHQ could secretly monitor almost the entire world’s mobile communications. That includes voice and data.
The breach was highlighted in a 2010 document, where the GCHQ noted in a slideshow presentation that “Gemalto – successfully planted several machines and believe we have the entire network. TDSD are working the data.”
Snowden provided the documents to The Intercept, which noted that “with these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted.”
Needless to say, Gemalto heads are not too pleased about the news.
“I’m disturbed, quite concerned that this has happened. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers,” Paul Beverly, a Gemalto executive vice president, told The Intercept.
In a press statement put out this morning, the firm says that it is taking the issue seriously.
“We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation. Gemalto, the world leader in digital security, is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday.”
There has been no word on how this could affect South African mobile phone users, but Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said either way it’s not good.
“Gaining access to a database of keys is pretty much game over for cellular encryption. Its bad news for phone security. Really bad news.”[Source – The Intercept, Image – CC by 2.0/MIKI Yoshihito]