Late last week, The Intercept reported that National Security Agency (NSA) whistleblower Edward Snowden had provided them documents showing that American and British spy agencies had hacked into the computers of Gemalto, the world's largest supplier of SIM cards for mobile phones. According to the report, the attack was perpetrated by a joint unit from the NSA and its British counterpart the Government Communications Headquarters (GCHQ). The breach was detailed in a secret GCHQ document from 2010.
With the information that was reportedly stolen, the spy agencies could potentially monitor voice calls, texts and emails sent from mobile devices with Gemalto manufactured SIM cards. Gemalto counts China Mobile, Vodafone and Verizon Wireless among its customers.
Every SIM card is manufactured with a unique code that is used to verify the legitimacy of the mobile device and to initialize the encryption engine. When Gemalto or other SIM card manufacturers ship the cards to a mobile operator, they also provide the keys to the mobile operator. When the card is delivered to a customer, the key is recorded in the carrier's home location register (HLR). When that user goes to place a call, the encrypted code is sent to the mobile switching center (i.e. the cellular "central office"), which in turn verifies it with the HLR. All cellular over the air transmissions are encrypted using that key, but having the key, the MSC can decrypt them.
If the spy agencies did swipe the card numbers and associated keys, it would be a relatively simple matter to intercept any cellular transmissions from devices with any of those cards and decrypt them in real time -- well, it wouldn't necessarily be "simple" for you or me, but it would certainly be simple for the spy agencies.
The story is still very new, and few additional details have been released; the Wall Street Journal reported on it over the weekend. In a written statement Gemalto advised, "We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation ... We take this publication very seriously and will devote all our resources necessary to fully investigate and understand the scope of such sophisticated techniques."
Cellular security has been excellent since the days Newt Gingrich's unencrypted 1G AMPS calls were intercepted, but that required little more than a police scanner with a minor modification. About the only breach of a cellular network that has been reported was in Greece in 2004 and 2005 when a number of high ranking politicians had their cell phones tapped. That breach was affected through the MSC (specifically a hack of the MSC's "lawful intercept" capability) and not an over-the-air intrusion.
We will be watching for developments on this story as they emerge, but it certainly gives one pause to think of the potential that our spy agencies hacked into the computer systems of a commercial company in another country to steal secrets that would allow them to tap into over a quarter of the world's cell phones.
Follow Michael Finneran on Twitter and Google+!
@dBrnWireless
Michael Finneran on Google+
