U.S., British Spy Agencies Hacked Their Way Into Accessing Smartphone Encryption Keys

The latest Snowden bombshell is about your SIM card.


The latest revelation from Edward Snowden's document dumps appears to be a doozy: The National Security Agency (NSA) and England's Government Communications Headquarters (GCHQ) teamed up in 2009 and 2010 to hack its way into a company most have never heard of: Gemalto. The Amsterda

Who needs a back door when you've stolen the keys?
Credit: andrewlih / photo on flickr

m-based company manufactures SIM cards, essentially the key to your smartphone. Through this breach, the two spy agencies were able to harvest millions of encryption keys to those SIM cards, meaning the two spy agencies were able to simply access some information on those phones without having to ask for assistance from telecom companies or with the users' permission or knowledge.

Jeremy Scahill and Josh Begley have a massive piece over at The Intercept explaining how it all works:

After a SIM card is manufactured, the encryption key, known as a "Ki," is burned directly onto the chip. A copy of the key is also given to the cellular provider, allowing its network to recognize an individual's phone. In order for the phone to be able to connect to the wireless carriers' network, the phone — with the help of the SIM — authenticates itself using the Ki that has been programmed onto the SIM. The phone conducts a secret "handshake" that validates that the Ki on the SIM matches the Ki held by the mobile company. Once that happens, the communications between the phone and the network are encrypted. Even if GCHQ or the NSA were to intercept the phone signals as they are transmitted through the air, the intercepted data would be a garbled mess. Decrypting it can be challenging and time-consuming. Stealing the keys, on the other hand, is beautifully simple, from the intelligence agencies' point of view, as the pipeline for producing and distributing SIM cards was never designed to thwart mass surveillance efforts.

So remember how we were all promised that nobody was reading the e-mails of people who weren't suspected of terrorism? A lie. Not that anybody believed them anyway. They used the e-mails of Gemalto employees to try to find information that would help them know who to target to get into Gemalto's network and get access to information about the encryption keys:

In effect, GCHQ clandestinely cyberstalked Gemalto employees, scouring their emails in an effort to find people who may have had access to the company's core networks and Ki-generating systems. The intelligence agency's goal was to find information that would aid in breaching Gemalto's systems, making it possible to steal large quantities of encryption keys. The agency hoped to intercept the files containing the keys as they were transmitted between Gemalto and its wireless network provider customers.

The GCHQ documents only contain statistics for three months of encryption key theft in 2010. During this period, millions of keys were harvested. The documents stated explicitly that GCHQ had already created a constantly evolving automated process for bulk harvesting of keys. They describe active operations targeting Gemalto's personalization centers across the globe, as well as other major SIM card manufacturers and the private communications of their employees.

The NSA didn't respond to the story and the GCHQ apparently gave its boilerplate version of "We can't comment on the specific things we do but let us assure you it's all totally legal." Some political leaders in Holland are not happy with the news that a major business within their borders was targeted for hacking from countries they see as allies:

It is unlikely that GCHQ's pronouncement about the legality of its operations will be universally embraced in Europe. "It is governments massively engaging in illegal activities," says Sophie in't Veld, a Dutch member of the European Parliament. "If you are not a government and you are a student doing this, you will end up in jail for 30 years." Veld, who chaired the European Parliament's recent inquiry into mass surveillance exposed by Snowden, told The Intercept: "The secret services are just behaving like cowboys. Governments are behaving like cowboys and nobody is holding them to account."

Read the whole sordid story here. Among Gemalto's clients are all the major U.S. telecom providers and hundreds of others. And according to The Intercept, Gemalto had no idea they had been breached, and as of this report, which just went up this afternoon, they still don't know how it happened.