The National Security Agency and its British counterpart, the GCHQ, hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe.
The secret operation targeted the Dutch company Gemalto. Its clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. It produces two billion SIM cards a year. According to The Intercept, the stolen encryption keys give intelligence agencies the ability to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.
Agents from the NSA and GCHQ formed the Mobile Handset Exploitation Team in 2010 to specifically target vulnerabilities in cellphones. The intelligence agencies obtained the encryption keys by hacking into the email and Facebook accounts of engineers and other employees of Gemalto and other major companies.
The British GCHQ has been engaged in an extremely aggressive effort to obtain these encryption keys. In essence, over the last probably five years or so, telecom companies, wireless carriers around the world have upgraded their networks and moved from older, less secure, second-generation phone technology to more secure, 3G and 4G technology.
And as the networks have moved to this newer technology, it’s become much more difficult for governments to spy on communications that take place outside of their own countries. So, for GCHQ, for NSA, for the Chinese and for the Russian governments to be able to spy on telephone calls everywhere in the world, they need these kinds of keys.
So there’s a special NSA outfit, an NSA-CIA outfit called the Special Collection Service, SCS. And so, they’re based out of embassies and consulates around the world, and they install these antennas on the roofs of embassies and other buildings. And with those antennas, they’re able to grab the data from phones as it’s sent over the air.
What they’ll do is they’ll set up these what are called ‘spy nests’ and grab as many telephone communications as they possibly can and save them. But these telephone communications, telephone calls, text messages and other information are encrypted.
And so they save the information, and then once they have the keys, either because they hack into a company like Gemalto or they bribe an engineer or blackmail an engineer, then they can decrypt the communications. And so, essentially, wiretapping then just becomes a mere task of installing an antenna somewhere and recording data.
Let’s compare the use of encryption keys on SIM cards to the way Social Security numbers are used today. Social Security numbers were designed in the 1930s for a pretty mundane and basic task, which was keeping track of one’s contributions to their retirement account, their government retirement account.
But today they’re used as a quasi-national identification number. We’re supposed to give our Social Security numbers to a huge number of organizations. It’s how we’re tracked. And the reason we have this system is because there was no formal national identity number. Everyone wants to have one, and so the Social Security number has sort of been forced into that role, but it’s a role that it was never designed or intended for.
By the same token, SIM cards were never really intended to provide strong confidentiality of communications. Instead, they were really intended to protect telephone numbers and telephone accounts from fraud.
In the ’80s and 1990s, there was a huge wave of fraud where people were doing what’s called cellphone cloning, and they were billing calls to other people’s accounts. Steve Jobs got started in computing by building these illegal cloning devices.
This was obviously a huge problem for the phone companies. They needed a solution. And SIM cards and the encryption keys within them were the solution that they came up with.
We should also understand that SIM cards probably cost 50 cents or a dollar in bulk. These are not extremely sophisticated, high-security devices. They are basic bits of technology that are designed for one job, which is helping prevent fraud.
But now we are depending on them for so much more. And if this story demonstrates one thing and one thing alone, it’s that SIM cards and the system of security that surrounds them just isn’t up to the job of protecting our communications.
In effect, virtually every U.S. embassy is basically a spying operation, possibly breaking laws in the very countries that they are—that they’re located in. And actually, that is that’s the norm for embassies around the world, not just the U.S. Intelligence agencies operate out of embassies, sometimes with cover. It’s not a big secret.
GCHQ and NSA believe that, essentially, anything is justified as long as it gets them to where they want to be. The engineers at Gemalto were not accused of breaking the law. Gemalto itself is not a criminal enterprise. But these governments want the keys that Gemalto has, and so they’re willing to do anything it takes to get that.
The previous comments are by Christopher Sochoian, a visiting fellow at Yale Law School’s Information Society Project, and are taken from an investigation he participated in. This article was compiled and edited for length.
Please Subscribe on our Home Page to receive updates as soon as they are published.
And please feel free to comment below, or visit our “Comments and Discussion” page and tell us what you think.
For data source please write the editor.