The latest in a long line of whistle-blower Edward Snowden’s National Security Agency revelations may be among the most shocking: that the NSA and its British counterpart, GCHQ, allegedly compromised the networks of Gemalto, and pilfered the encryption keys protecting untold millions, potentially billions of SIM cards.
A compromise of SIM cards on this scale would call into question the integrity of entire global cellular communication system. This is not to say that your communications are being monitored, but that they could be at the click of a button.
If you are wondering who Gemalto is, they are a global manufacturer of mobile device SIM cards. In fact, they manufacturer more SIM cards than any other organization in the world, according to the Economist.
From Espresso: Cards on the table: the hacking of Gemalto http://t.co/6fCR9a3I3o pic.twitter.com/E6rzg507ov
— The Economist (@TheEconomist) February 25, 2015
The Intercept article in which these allegations first appeared estimates that Gemalto produces some 2 billion SIM cards every year. To put that in context, there are 7.125 billion humans in the world; an estimated 7.19 billion mobile devices. Gemalto’s clients reportedly include mobile service providers Sprint, AT&T, Verizon, T-Mobile and some 450 other outfits. The company does business in 85 countries and operates 40 manufacturing facilities.
SIM is an acronym for subscriber identification module. A SIM card is a little integrated circuit that plugs into your mobile device. It contains the unique international mobile subscriber identity (IMSI) along with an encrypted authentication key. Together, this key and that number essentially validate that your phone is in fact your phone. It’s like a login-password pair but entirely hardware based and therefore cannot be changed.
Having the master list of these keys would give an attacker the ability to monitor voice and data communications on any devices containing a SIM card whose encryption key is on the list. If these allegations are true, it means that the NSA and GCHQ have the capacity to monitor massive amounts of cellular and data communications around the world without a warrant or other judicial approval.
Allegations have emerged that the #NSA hacked @Gemlto, stealing crypto keys for millions of SIM cards
Tweet
You hear the non-technical media talk a lot of about the NSAs metadata-related activities, but its leaks like this one and revelations about compromised pseudorandom number generators that are really troubling. Metadata can tell you a lot about where a person has been, who they associate with and, in fact, who a person actually is. A massive attack on SIM cards or encryption protocols gives an attacker the ability to actually see — in plaintext — the contents of our correspondence with one another. While much can be inferred from location and device interaction information, there is no need to make inferences about plaintext communications. It’s all right there as it was said in real time. There is no analysis necessary.
In a secret document reportedly stolen by the former NSA contractor and made public by The Intercept, the NSA said: “[we] successfully implanted several [Gemalto] machines and believe we have their entire network…”
Information regarding a report mentioning a hacking of SIM card encryption keys http://t.co/huYdcV09Hy
— Thales Digital Identity & Security (@ThalesDigiSec) February 20, 2015
Privacy and cellular communications security aren’t the only concern here. There are substantial financial implications as well for two reasons. As American Civil Liberties Union staff technologist, Chris Soghoian, and Johns Hopkins cryptographer Matthew Green noted in The Intercept article, SIM cards weren’t designed to protect individual communications. They were designed to streamline the billing process and prevent users from defrauding their mobile service providers in the early days of cellular use. In parts of the developing world still largely reliant on the outdated and weak second generation cellular networks, many users rely on their SIM cards for money transfer and microfincancing services like the wildly popular M-Pesa.
This isn’t merely a financial problem for the developing world: Gemalto is a major manufacturer of the microchips in chip and PIN or EMV payment cards, the primary method of payment in Europe. Those cards could be potentially compromised as well. According to the Intercept, Gemalto’s chips are also used as building entry tokens, electronic passports, identification cards and as keys for certain luxury automobiles, like BMW and Audi, as well. If you have a chip and PIN card from Visa, Mastercard, American Express, JP Morgan Chase or Barclays, then there is a decent chance that the chip in your payment card was developed by Gemalto and that its cryptographic key may be compromised.
For its part, despite the allegations and purportedly secret documents, Gemalto is steadfastly denying that its secure networks were ever compromised.
“No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks,” the company said in a statement.
However, the company did acknowledge that there had been thwarted hacking attempts in the past for which it believed the NSA and GCHQ were responsible.
Gemalto presents the findings of its investigations into the alleged hacking of SIM card encryption keys http://t.co/AV0TmzVUmZ
— Thales Digital Identity & Security (@ThalesDigiSec) February 25, 2015
Another quietly troubling aspect of this and many of the Snowden revelations is that the document is dated 2010. In other words, this alleged SIM card scheme has not only been ongoing for five years but the technique is also five years old, a lifetime in computer years.
Beyond the personal risk compromised SIM card keys pose to our collective and individual privacy, if the Snowden documents are true, then this attack is an international relations nightmare. Remember two months ago when the more hawkish among us hemmed and hawed about how North Korea’s attack on Sony Pictures Entertainment constituted an act of war? Well, that attack, which was as likely perpetrated by North Korea as it was by anyone else, targeted a movie studio and spilled some movie scripts and emails. An attack on Gemalto potentially compromises the integrity of a global communication infrastructure increasingly reliant on mobile devices and the SIM cards living inside them.