{"id":54242,"date":"2015-02-23T13:10:03","date_gmt":"2015-02-23T13:10:03","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=54242"},"modified":"2015-05-05T21:26:03","modified_gmt":"2015-05-05T20:26:03","slug":"the-great-sim-heist-how-spies-stole-the-keys-to-the-encryption-castle","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/02\/the-great-sim-heist-how-spies-stole-the-keys-to-the-encryption-castle\/","title":{"rendered":"The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle"},"content":{"rendered":"
\"Shutterstock\"<\/a>

Shutterstock<\/p><\/div>\n

19 Feb 2015<\/em> – American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept<\/em> by National Security Agency whistleblower Edward Snowden.<\/p>\n

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document<\/a>, gave the surveillance agencies the potential to secretly monitor a large portion of the world\u2019s cellular communications, including both voice and data.<\/p>\n

The company targeted by the intelligence agencies, Gemalto<\/a>, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.<\/p>\n

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is \u201cSecurity to be Free.\u201d<\/p>\n

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider\u2019s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.<\/p>\n

As part of the covert operations against Gemalto, spies from GCHQ \u2014 with support from the NSA \u2014 mined the private communications of unwitting engineers and other company employees in multiple countries.<\/p>\n

Gemalto was totally oblivious to the penetration of its systems \u2014 and the spying on its employees. \u201cI\u2019m disturbed, quite concerned that this has happened,\u201d Paul Beverly, a Gemalto executive vice president, told The Intercept<\/em>. \u201cThe most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn\u2019t happen again, and also to make sure that there\u2019s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.\u201d He added that \u201cthe most important thing for us now is to understand the degree\u201d of the breach.<\/p>\n

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. \u201cOnce you have the keys, decrypting traffic is trivial,\u201d says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. \u201cThe news of this key theft will send a shock wave through the security community.\u201d<\/p>\n

Beverly said that after being contacted by The Intercept<\/em>, Gemalto\u2019s internal security team began on Wednesday to investigate how their system was penetrated and could find no trace of the hacks. When asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Beverly said, \u201cI am totally unaware. To the best of my knowledge, no.\u201d<\/p>\n

According to one secret GCHQ slide<\/a>, the British intelligence agency penetrated Gemalto\u2019s internal networks, planting malware on several computers, giving GCHQ secret access. We \u201cbelieve we have their entire network,\u201d the slide\u2019s author boasted about the operation against Gemalto.<\/p>\n

Additionally, the spy agency targeted unnamed cellular companies\u2019 core networks, giving it access to \u201csales staff machines for customer information and network engineers machines for network maps.\u201d GCHQ also claimed the ability to manipulate the billing servers of cell companies to \u201csuppress\u201d charges in an effort to conceal the spy agency\u2019s secret actions against an individual\u2019s phone. Most significantly, GCHQ also penetrated \u201cauthentication servers,\u201d allowing it to decrypt data and voice communications between a targeted individual\u2019s phone and his or her\u00a0telecom provider\u2019s network. A note accompanying the slide asserted that the spy agency was \u201cvery happy with the data so far and [was] working through the vast quantity of product.\u201d<\/p>\n

The Mobile Handset Exploitation Team (MHET), whose existence has never before been disclosed, was formed in April 2010 to target vulnerabilities in cellphones. One of its main missions was to covertly penetrate computer networks of corporations that manufacture SIM cards, as well as those of wireless network providers. The team included operatives from both GCHQ and the NSA.<\/p>\n

While the FBI and other U.S. agencies can obtain court orders compelling U.S.-based telecom companies to allow them to wiretap or intercept the communications of their customers, on the international front this type of data collection is much more challenging. Unless a foreign telecom or foreign government grants access to their citizens\u2019 data to a U.S. intelligence agency, the NSA or CIA would have to hack into the network or specifically target the user\u2019s device for a more risky \u201cactive\u201d form of surveillance that could be detected by sophisticated targets. Moreover, foreign intelligence agencies would not allow U.S. or U.K. spy agencies access to the mobile communications of their heads of state or other government officials.<\/p>\n

\u201cIt\u2019s unbelievable. Unbelievable,\u201d said Gerard Schouw, a member of the Dutch Parliament, when told of the spy agencies\u2019 actions. Schouw, the intelligence spokesperson for D66, the largest opposition party in the Netherlands, told The Intercept<\/em>, \u201cWe don\u2019t want to have the secret services from other countries doing things like this.\u201d Schouw added that he and other lawmakers will ask the Dutch government to provide an official explanation and to clarify whether the country\u2019s intelligence services were aware of the targeting of Gemalto, whose official headquarters is in Amsterdam.<\/p>\n

Last November, the Dutch government proposed<\/a> an amendment to its constitution to include explicit protection for the privacy of digital communications, including those made on mobile devices. \u201cWe have, in the Netherlands, a law on the [activities] of secret services. And hacking is not allowed,\u201d Schouw\u00a0said. Under Dutch law, the interior minister would have to sign off on such operations by foreign governments\u2019 intelligence agencies. \u201cI don\u2019t believe that he has given his permission for these kind of actions.\u201d<\/p>\n

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. \u201cGaining access to a database of keys is pretty much game over for cellular encryption,\u201d says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is \u201cbad news for phone security. Really bad news.\u201d<\/p>\n

\"att_sim<\/a><\/p>\n

AS CONSUMERS BEGAN<\/strong>\u00a0to adopt cellular phones en masse in the mid-1990s, there were no effective privacy protections in place. Anyone could buy a cheap device from RadioShack capable of intercepting calls placed on mobile phones. The shift from analog to digital networks introduced basic encryption technology, though it was still crackable by tech savvy computer science graduate students, as well as the FBI and other law enforcement agencies, using readily available equipment.<\/p>\n

Today, second-generation (2G) phone technology, which relies on a deeply flawed encryption system, remains the dominant platform globally, though U.S. and European cellphone companies now use 3G, 4G and LTE technology in urban areas. These include more secure, though not invincible, methods of encryption, and wireless carriers throughout the world are upgrading their networks to use these newer technologies.<\/p>\n

It is in the context of such growing technical challenges to data collection that intelligence agencies, such as the NSA, have become interested in acquiring cellular encryption keys. \u201cWith old-fashioned [2G], there are other ways to work around cellphone security without those keys,\u201d says Green, the Johns Hopkins cryptographer. \u201cWith newer 3G, 4G and LTE protocols, however, the algorithms aren\u2019t as vulnerable, so getting those keys would be essential.\u201d<\/p>\n

The privacy of all mobile communications \u2014 voice calls, text messages and Internet access \u2014 depends on an encrypted connection between the cellphone and the wireless carrier\u2019s network, using keys stored on the SIM, a tiny chip smaller than a postage stamp, which is inserted into the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. SIM cards can be used to store contacts, text messages, and other important data, like one\u2019s phone number. In some countries, SIM cards are used to transfer money. As The Intercept<\/em> reported<\/a> last year, having the wrong SIM card can make you the target of a drone strike.<\/p>\n

SIM cards were not invented to protect individual communications \u2014 they were designed to do something much simpler: ensure proper billing and prevent fraud, which was pervasive in the early days of cellphones. Soghoian compares the use of encryption keys on SIM cards to the way Social Security numbers are used today. \u201cSocial security numbers were designed in the 1930s to track your contributions to your government pension,\u201d he says. \u201cToday they are used as a quasi national identity number, which was never their intended purpose.\u201d<\/p>\n

Because the SIM card wasn\u2019t created with call confidentiality in mind, the manufacturers and wireless carriers don\u2019t make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. \u201cI doubt anyone is treating those things very carefully,\u201d says Green. \u201cCell companies probably don\u2019t treat them as essential security tokens. They probably just care that nobody is defrauding their networks.\u201d The ACLU\u2019s Soghoian adds, \u201cThese keys are so valuable that it makes sense for intel agencies to go after them.\u201d<\/p>\n

As a general rule, phone companies do not manufacture SIM cards, nor program them with secret encryption keys. It is cheaper and more efficient for them to outsource this sensitive step in the SIM card production process. They purchase them in bulk with the keys pre-loaded by other corporations. Gemalto is the largest of these SIM \u201cpersonalization\u201d companies.<\/p>\n

After a SIM card is manufactured, the encryption key, known as a \u201cKi,\u201d is burned directly onto the chip. A copy of the key is also given to the cellular provider, allowing its network to recognize an individual\u2019s phone. In order for the phone to be able to connect to the wireless carrier\u2019s network, the phone \u2014 with the help of the SIM \u2014 authenticates itself using the Ki that has been programmed onto the SIM. The phone conducts a secret \u201chandshake\u201d that validates that the Ki on the SIM matches the Ki held by the mobile company. Once that happens, the communications between the phone and the network are encrypted. Even if GCHQ or the NSA were to intercept the phone signals as they are transmitted through the air, the intercepted data would be a garbled mess. Decrypting it can be challenging and time-consuming. Stealing the keys, on the other hand, is beautifully simple, from the intelligence agencies\u2019 point of view, as the pipeline for producing and distributing SIM cards was never designed to thwart mass surveillance efforts.<\/p>\n

One of the creators of the encryption protocol that is widely used today for securing emails, Adi Shamir, famously asserted: \u201cCryptography is typically bypassed, not penetrated.\u201d In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force. While the NSA and GCHQ have substantial resources dedicated to breaking encryption, it is not the only way \u2014 and certainly not always the most efficient \u2014 to get at the data they want. \u201cNSA has more mathematicians on its payroll than any other entity in the U.S.,\u201d says the ACLU\u2019s Soghoian. \u201cBut the NSA\u2019s hackers are way busier than its mathematicians.\u201d<\/p>\n

GCHQ and the NSA could have taken any number of routes to steal SIM encryption keys and other data. They could have physically broken into a manufacturing plant. They could have broken into a wireless carrier\u2019s office. They could have bribed, blackmailed or coerced an employee of the manufacturer or cellphone provider. But all of that comes with substantial risk of exposure. In the case of Gemalto, hackers working for GCHQ remotely penetrated the company\u2019s computer network in order to steal the keys in bulk as they were en route to the wireless network providers.<\/p>\n

SIM card \u201cpersonalization\u201d companies like Gemalto ship hundreds of thousands of SIM cards at a time to mobile phone operators across the world. International shipping records obtained by The Intercept<\/em> show that in 2011, Gemalto shipped 450,000 smart cards from its plant in Mexico to Germany\u2019s Deutsche Telekom in just one shipment.<\/p>\n

In order for the cards to work and for the phones\u2019 communications to be secure, Gemalto also needs to provide the mobile company with a file containing the encryption keys for each of the new SIM cards. These master key files could be shipped via FedEx, DHL, UPS or another snail mail provider. More commonly, they could be sent via email or through File Transfer Protocol, FTP, a method of sending files over the Internet.<\/p>\n

The moment the master key set is generated by Gemalto or another personalization company, but before it is sent to the wireless carrier, is the most vulnerable moment for interception. \u201cThe value of getting them at the point of manufacture is you can presumably get a lot of keys in one go, since SIM chips get made in big batches,\u201d says Green, the cryptographer. \u201cSIM cards get made for lots of different carriers in one facility.\u201d In Gemalto\u2019s case, GCHQ hit the jackpot, as the company manufactures SIMs for hundreds of wireless network providers, including all of the leading U.S.\u2014 and many of the largest European \u2014 companies.<\/p>\n

But obtaining the encryption keys while Gemalto still held them required finding a way into the company\u2019s internal systems.<\/p>\n

\"Diagram<\/a>

Diagram from a top-secret GCHQ slide.<\/p><\/div>\n

TOP-SECRET GCHQ<\/strong> documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys. They did this by utilizing the NSA\u2019s X-KEYSCORE program, which allowed them access to private emails hosted by the SIM card and mobile companies\u2019 servers, as well as those of major tech corporations, including Yahoo and Google.<\/p>\n

In effect, GCHQ clandestinely cyberstalked<\/a> Gemalto employees, scouring their emails in an effort to find people who may have had access to the company\u2019s core networks and Ki-generating systems. The intelligence agency\u2019s goal was to find information that would aid in breaching Gemalto\u2019s systems, making it possible to steal large quantities of encryption keys. The agency hoped to intercept the files containing the keys as they were transmitted between Gemalto and its wireless network provider customers.<\/p>\n

GCHQ operatives identified key individuals and their positions within Gemalto and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they\u00a0observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations, \u201che would certainly be a good place to start.\u201d They did not claim to have decrypted the employee\u2019s communications, but noted that the use of PGP could mean the contents were potentially valuable.<\/p>\n

The cyberstalking was not limited to Gemalto. GCHQ operatives wrote a script that allowed the agency to mine the private communications of employees of major telecommunications and SIM \u201cpersonalization\u201d companies for technical terms used in the assigning of secret keys to mobile phone customers. Employees for the SIM card manufacturers and wireless network providers were labeled as \u201cknown individuals and operators targeted\u201d in a top-secret GCHQ document.<\/p>\n

According to that April 2010 document<\/a>, \u201cPCS Harvesting at Scale,\u201d hackers working for GCHQ focused on \u201charvesting\u201d massive amounts of individual encryption keys \u201cin transit between mobile network operators and SIM card personalisation centres\u201d like Gemalto. The spies \u201cdeveloped a methodology for intercepting these keys as they are transferred between various network operators and SIM card providers.\u201d By that time, GCHQ had developed \u201can automated technique with the aim of increasing the volume of keys that can be harvested.\u201d<\/p>\n

The PCS Harvesting document acknowledged that, in searching for information on encryption keys, GCHQ operatives would undoubtedly vacuum up \u201ca large number of unrelated items\u201d from the private communications of targeted employees. \u201c[H]owever an analyst with good knowledge of the operators involved can perform this trawl regularly and spot the transfer of large batches of [keys].\u201d<\/p>\n

The document noted that many SIM card manufacturers transferred the encryption keys to wireless network providers \u201cby email or FTP with simple encryption methods that can be broken \u2026 or occasionally with no encryption at all.\u201d To get bulk access to encryption keys, all the NSA or GCHQ needed to do was intercept emails or file transfers as they were sent over the Internet \u2014 something both agencies already do millions of times per day. A footnote in the 2010 document observed that the use of \u201cstrong encryption products \u2026 is becoming increasingly common\u201d in transferring the keys.<\/p>\n

In its key harvesting \u201ctrial\u201d operations in the first quarter of 2010, GCHQ successfully intercepted<\/a> keys used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan. But, the agency noted, its automated key harvesting system failed to produce results against Pakistani networks, denoted as \u201cpriority targets\u201d in the document, despite the fact that GCHQ had a store of Kis from two providers in the country, Mobilink and Telenor. \u201c[I]t is possible that these networks now use more secure methods to transfer Kis,\u201d the document concluded.<\/p>\n

From December 2009 through March 2010, a month before the Mobile Handset Exploitation Team was formed, GCHQ conducted a number of trials aimed at extracting encryption keys and other personalized data for individual phones. In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries. In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they\u2019d compiled<\/a> 300,000. \u201cSomali providers are not on GCHQ\u2019s list of interest,\u201d the document noted. \u201c[H]owever, this was usefully shared with NSA.\u201d<\/p>\n

The GCHQ documents only contain statistics for three months of encryption key theft in 2010. During this period, millions of keys were harvested. The documents stated explicitly that GCHQ had already created a constantly evolving automated process for bulk harvesting of keys. They describe active operations targeting Gemalto\u2019s personalization centers across the globe, as well as other major SIM card manufacturers and the private communications of their employees.<\/p>\n

A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets. In the future, the agency predicted, it would be capable of processing more than 50 million per second. The document did not state how many keys were actually processed, just that the NSA had the technology to perform such swift, bulk operations. It is impossible to know how many keys have been stolen by the NSA and GCHQ to date, but, even using conservative math, the numbers are likely staggering.<\/p>\n

GCHQ assigned \u201cscores\u201d to more than 150 individual email addresses based on how often the users mentioned certain technical terms, and then intensified the mining of those individuals\u2019 accounts based on priority. The highest-scoring email address was that of an employee of Chinese tech giant Huawei, which the U.S. has repeatedly accused of collaborating with Chinese intelligence. In all, GCHQ harvested the emails of employees of hardware companies that manufacture phones, such as Ericsson and Nokia; operators of mobile networks, such as MTN Irancell and Belgacom; SIM card providers, such as Bluefish and Gemalto; and employees of targeted companies who used email providers, such as Yahoo and Google. During the three-month trial, the largest number of email addresses harvested were those belonging to Huawei employees, followed by MTN Irancell. The third largest class of emails harvested in the trial were private Gmail accounts, presumably belonging to employees at targeted companies.<\/p>\n

The GCHQ program targeting Gemalto was called DAPINO GAMMA. In 2011, GCHQ launched operation HIGHLAND FLING to mine the email accounts of Gemalto employees in France and Poland. A top-secret document on the operation stated that one of the aims was \u201cgetting into French HQ\u201d of Gemalto \u201cto get in to core data repositories.\u201d France, home to one of Gemalto\u2019s global headquarters, is the nerve center of the company\u2019s worldwide operations. Another goal was to intercept private communications of employees in Poland that \u201ccould lead to penetration into one or more personalisation centers\u201d \u2014 the factories where the encryption keys are burned onto SIM cards.<\/p>\n

As part of these operations, GCHQ operatives acquired the usernames and passwords for Facebook accounts of Gemalto targets. An internal top-secret GCHQ wiki on the program from May 2011 indicated that GCHQ was in the process of \u201ctargeting\u201d more than a dozen Gemalto facilities across the globe, including in Germany, Mexico, Brazil, Canada, China, India, Italy, Russia, Sweden, Spain, Japan and Singapore.<\/p>\n

The document also stated that GCHQ was preparing similar key theft operations against one of Gemalto\u2019s competitors, Germany-based SIM card giant Giesecke and Devrient.<\/p>\n

On January 17, 2014, President Barack Obama gave a major address on the NSA spying scandal. \u201cThe bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don\u2019t threaten our national security and that we take their privacy concerns into account in our policies and procedures,\u201d he said.<\/p>\n

The monitoring of the lawful communications of employees of major international corporations shows that such statements by Obama, other U.S. officials and British leaders \u2014 that they only intercept and monitor the communications of known or suspected criminals or terrorists \u2014 were untrue. \u201cThe NSA and GCHQ view the private communications of people who work for these companies as fair game,\u201d says the ACLU\u2019s Soghoian. \u201cThese people were specifically hunted and targeted by intelligence agencies, not because they did anything wrong, but because they could be used as a means to an end.\u201d<\/p>\n

\"key-slide2<\/a><\/p>\n

THERE ARE TWO<\/strong>\u00a0basic types of electronic or digital surveillance: passive and active. All intelligence agencies engage in extensive passive surveillance, which means they collect bulk data by intercepting communications sent over fiber-optic cables, radio waves or wireless devices.<\/p>\n

Intelligence agencies place high-power antennas, known as \u201cspy nests,\u201d on the top of their countries\u2019 embassies and consulates, which are capable of vacuuming up data sent to or from mobile phones in the surrounding area. The joint NSA\/CIA Special Collection Service is the lead entity that installs and mans these nests for the United States. An embassy situated near a parliament or government agency could easily intercept the phone calls and data transfers of the mobile phones used by foreign government officials. The U.S. embassy in Berlin, for instance, is located a stone\u2019s throw from the Bundestag. But if the wireless carriers are using stronger encryption, which is built into modern 3G, 4G and LTE networks, then intercepted calls and other data would be more difficult to crack, particularly in bulk. If the intelligence agency wants to actually listen to or read what is being transmitted, they would need to decrypt the encrypted data.<\/p>\n

Active surveillance is another option. This would require government agencies to \u201cjam\u201d a 3G or 4G network, forcing nearby phones onto 2G. Once forced down to the less secure 2G technology, the phone can be tricked into connecting to a fake cell tower operated by an intelligence agency. This method of surveillance, though effective, is risky, as it leaves a digital trace that counter-surveillance experts from foreign governments could detect.<\/p>\n

Stealing the Kis solves all of these problems. This way, intelligence agencies can safely engage in passive, bulk surveillance without having to decrypt data and without leaving any trace whatsoever.<\/p>\n

\u201cKey theft enables the bulk, low-risk surveillance of encrypted communications,\u201d the ACLU\u2019s Soghoian says. \u201cAgencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It\u2019s like a time machine, enabling the surveillance of communications that occurred before someone was even a target.\u201d<\/p>\n

Neither the NSA nor GCHQ would comment specifically on the key theft operations. In the past, they have argued more broadly that breaking encryption is a necessary part of tracking terrorists and other criminals. \u201cIt is longstanding policy that we do not comment on intelligence matters,\u201d a GCHQ official stated in an email, adding that the agency\u2019s work is conducted within a \u201cstrict legal and policy framework\u201d that ensures its activities are \u201cauthorized, necessary and proportionate,\u201d with proper oversight, which is the standard response the agency has provided for previous stories published by The Intercept<\/em>. The agency also said, \u201c[T]he UK\u2019s interception regime is entirely compatible with the European Convention on Human Rights.\u201d The NSA declined to offer any comment.<\/p>\n

It is unlikely that GCHQ\u2019s pronouncement about the legality of its operations will be universally embraced in Europe. \u201cIt is governments massively engaging in illegal activities,\u201d says Sophie in\u2019t Veld, a Dutch member of the European Parliament. \u201cIf you are not a government and you are a student doing this, you will end up in jail for 30 years.\u201d Veld, who chaired the European Parliament\u2019s recent inquiry into mass surveillance exposed by Snowden, told The Intercept<\/em>: \u201cThe secret services are just behaving like cowboys. Governments are behaving like cowboys and nobody is holding them to account.\u201d<\/p>\n

The Intercept<\/em>\u2019s Laura Poitras has previously reported<\/a> that in 2013 Australia\u2019s signals intelligence agency, a close partner of the NSA, stole some 1.8 million encryption keys from an Indonesian wireless carrier.<\/p>\n

A few years ago, the FBI reportedly<\/a> dismantled several transmitters set up by foreign intelligence agencies around the Washington, D.C. area, which could be used to intercept cellphone communications. Russia, China, Israel and other nations use similar technology as the NSA across the world. If those governments had the encryption keys for major U.S. cellphone companies\u2019 customers, such as those manufactured by Gemalto, mass snooping would be simple. \u201cIt would mean that with a few antennas placed around Washington, D.C., the Chinese or Russian governments could sweep up and decrypt the communications of members of Congress, U.S. agency heads, reporters, lobbyists and everyone else involved in the policymaking process and decrypt their telephone conversations,\u201d says Soghoian.<\/p>\n

\u201cPut a device in front of the U.N., record every bit you see going over the air. Steal some keys, you have all those conversations,\u201d says Green, the Johns Hopkins cryptographer. And it\u2019s not just spy agencies that would benefit from stealing encryption keys. \u201cI can only imagine how much money you could make if you had access to the calls made around Wall Street,\u201d he adds.<\/p>\n

\"GCHQ<\/a>

GCHQ slide.<\/p><\/div>\n

THE BREACH OF<\/strong>\u00a0Gemalto\u2019s computer network by GCHQ has far-reaching global implications. The company, which brought in $2.7 billion in revenue in 2013, is a global leader in digital security, producing banking cards, mobile payment systems, two-factor authentication devices used for online security, hardware tokens used for securing buildings and offices, electronic passports and identification cards. It provides chips to Vodafone in Europe and France\u2019s Orange, as well as EE, a joint venture in the U.K. between France Telecom and Deutsche Telekom. Royal KPN, the largest Dutch wireless network provider, also uses Gemalto technology.<\/p>\n

In Asia, Gemalto\u2019s chips are used by China Unicom, Japan\u2019s NTT and Taiwan\u2019s Chungwa Telecom, as well as scores of wireless network providers throughout Africa and the Middle East. The company\u2019s security technology is used by more than 3,000 financial institutions and 80 government organizations. Among its clients are Visa, Mastercard, American Express, JP Morgan Chase and Barclays. It also provides chips for use in luxury cars, including those made by Audi and BMW.<\/p>\n

In 2012, Gemalto won a sizable contract, worth $175 million, from the U.S. government to produce the covers for electronic U.S. passports, which contain chips and antennas that can be used to better authenticate travelers. As part of its contract, Gemalto provides the personalization and software for the microchips implanted in the passports. The U.S. represents Gemalto\u2019s single largest market, accounting for some 15 percent of its total business. This raises the question of whether GCHQ, which was able to bypass encryption on mobile networks, has the ability to access private data protected by other Gemalto products created for banks and governments.<\/p>\n

As smart phones become smarter, they are increasingly replacing credit cards and cash as a means of paying for goods and services. When Verizon, AT&T and T-Mobile formed an alliance in 2010 to jointly build an electronic pay system to challenge Google Wallet and Apple Pay, they purchased Gemalto\u2019s technology for their program, known as Softcard. (Until July 2014, it previously went by the unfortunate name of \u201cISIS Mobile Wallet.\u201d) Whether data relating to that, and other Gemalto security products, has been compromised by GCHQ and the NSA is unclear. Both intelligence agencies declined to answer any specific questions for this story.<\/p>\n

\"Signal,<\/a>

Signal, iMessage, WhatsApp, Silent Phone.<\/p><\/div>\n

PRIVACY ADVOCATES<\/strong>\u00a0and security experts say it would take billions of dollars, significant political pressure, and several years to fix the fundamental security flaws in the current mobile phone system that NSA, GCHQ and other intelligence agencies regularly exploit.<\/p>\n

A current gaping hole in the protection of mobile communications is that cellphones and wireless network providers do not support the use of Perfect Forward Secrecy (PFS), a form of encryption designed to limit the damage caused by theft or disclosure of encryption keys. PFS, which is now built into modern web browsers and used by sites like Google and Twitter, works by generating unique encryption keys for each communication or message, which are then discarded. Rather than using the same encryption key to protect years\u2019 worth of data, as the permanent Kis on SIM cards can, a new key might be generated each minute, hour or day, and then promptly destroyed. Because cellphone communications do not utilize PFS, if an intelligence agency has been \u201cpassively\u201d intercepting someone\u2019s communications for a year and later acquires the permanent encryption key, it can go back and decrypt all of those communications. If mobile phone networks were using PFS, that would not be possible \u2014 even if the permanent keys were later stolen.<\/p>\n

The only effective way for individuals to protect themselves from Ki theft-enabled surveillance is to use secure communications software, rather than relying on SIM card-based security. Secure software includes email and other apps that use Transport Layer Security (TLS), the mechanism underlying the secure HTTPS web protocol. The email clients included with Android phones and iPhones support TLS, as do large email providers like Yahoo and Google.<\/p>\n

Apps like TextSecure and Silent Text are secure alternatives to SMS messages, while Signal, RedPhone and Silent Phone encrypt voice calls. Governments still may be able to intercept communications, but reading or listening to them would require hacking a specific handset, obtaining internal data from an email provider, or installing a bug in a room to record the conversations.<\/p>\n

\u201cWe need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages,\u201d says Soghoian.<\/p>\n

Documents published with this article:<\/em><\/p>\n