The United States’ National Security Agency and British spy agency GCHQ have hacked into the internal computer network of Gemalto, the world’s largest maker of SIM cards, and stolen the cards’ encryption keys, The Intercept reported last week. Information about the government hack attacks came from files leaked by whistle-blower Edward Snowden.
Gemalto makes about 2 billion SIM cards a year, and sells them to 450 major wireless network carriers worldwide, including AT&T, Verizon and Sprint.
Gemalto said it was unaware of the hack and expressed concern.
“How Gemalto, a security company, could have been this vulnerable is very concerning,” commented Richard Blech, CEO of Secure Channels.
“Now that this has been exposed, we will have to ensure that new technology and solutions are created to encrypt SIM cards and that encryption keys are not only placed in a completely separate location, but that the keys themselves are protected with deep encryption,” Blech told TechNewsWorld.
The Impact of SIM Card Encryption Theft
Information obtained by hacking Gemalto “could not only be used to decrypt protected phone communication but … could also likely be used to deploy malicious Java applets to targeted SIM cards [through] special SMS messages or signals from fake cell towers, or Stingrays,” said Craig Young, senior security researcher at Tripwire.
The theft potentially opens up new techniques for sophisticated man-in-the-middle attacks against cellular data connections authenticated by the compromised SIM cards, Young told TechNewsWorld.
“Each time the NSA-level hackers do something amazing, it sets the stage for a wave of breaches at private organizations later,” remarked Jonathan Sander, strategy and research officer for Stealthbits Technologies. “Good tech always trickles down.”
Hey, Big Brother!
The theft raises the question of whether government agencies’ promises to exercise any increased surveillance powers in compliance with the law can be taken at face value.
In the U.S., the FBI is seeking extended surveillance powers through a proposed amendment to the Federal rules of criminal procedure that would allow for search and seizure on remote computers.
UK Prime Minister David Cameron has argued in the country’s Parliament for communications surveillance with a warrant, and GCHQ proclaims it acts in accordance with UK law.
However, the theft of the SIM card encryption data “is exactly what criminals do,” said Jim McGregor, principal analyst at Tirias Research.
“I generally support the efforts of our governments to identify and track potential threats, but this seems like a rather alarming way to accomplish this task,” he told TechNewsWorld.
“Spy agencies spy,” said Derek Bambauer, professor of law at the University of Arizona.
“The question is not whether spying should occur,” he told TechNewsWorld. It’s about the limits we put in place on it, whether those limits are followed, and the trade-offs in terms of privacy and security we will accept.”
Crime and Bad Karma
News of the Gemalto hack might further sour relations between the U.S. and its allies.
“It will be particularly interesting to see how foreign governments, such as Germany’s, respond to this revelation,” Center for Democracy & Technology Senior Counsel Gregory Nojeim told TechNewsWorld.
On the other hand, most governments probably are benefiting from the NSA’s and GCHQ’s spying, so “there will be PR-level condemnation and backroom applause,” suggested Stealthbits’ Sander.
Even if they are upset, they can’t do much, he said, because “the information technology infrastructure we all participate in is simply too vulnerable to be protected against well-funded people with intent to get information they aren’t supposed to have.”
No Faith, Hope or Charity
The loss of trust resulting from the Gemalto hack could impact businesses heavily.
The hack subverts the trust the mobile communications industry relies on in order to sell its products, said Ken Westin, senior security analyst at Tripwire.
That “raises a lot of challenges for business moving forward,” he told TechNewsWorld.
Phone manufacturers, carriers and app devs “will have to add more layers of security into their systems,” said Westin, “to help reestablish that trust for their customers.”