Multinational SIM cards manufacturer Gemalto hacked by NSA and GCHQ

SIM cards have fixed keys that should be (or usually are) confidential and only known by the vendor or network operator.

By hacking into the internal computer network of Gemalto, the largest manufacturer of SIM cards in the world, American and British security agencies got their hands on those encryption keys thus undermining the privacy of cellphone communications across the globe.

While it has been told, that the GCHQ and NSA already surpassed security of SIM card manufacturers back in 2010, this actually is really bad news.

They now have instant and automated access to all sorts of mobile communications, location data and maybe even private data protected by other Gemalto products created for banks and governments – while leaving no trace. Even old communication that was intercepted but not decrypted in the past, can now easily be decrypted.

“We don’t want to have the secret services from other countries doing things like this.”

(says Gerard Schouw, member of the Dutch Parliament)

It seems, neither American nor British spy agencies care about constitutions that include explicit protection for the privacy of digital communications, as this recent development makes the whole approval process from telecom companies and foreign governments obsolete.

Documents provided by whistle-blower Snowden also disclose the existence of a special group called „The Mobile Handset Exploitation Team“ that was formed back in 2010 to covertly penetrate computer networks of SIM card manufacturers worldwide.

Gemalto seems to be the big score, since it is not only providing chips to international telecom providers, but producing chips for banking cards, mobile payment systems, two-factor authentication devices, electronic passports and even hardware tokens used to secure buildings and offices. This might once again raise the subject of identity fraud in general. While passports usually are one of the most important identity documents in every country, mobile devices and especially our itinery routes while having one of those in our pocket, are even more personal.

“People were specifically hunted and targeted by intelligence agencies, not because they did anything wrong, but because they could be used as a means to an end.”  says Christopher Soghoian, the principal technologist for the American Civil Liberties Union about the Gemalto heist.


How did this happen?

As it so happens, SIM cards were not invented with total confidentiality of mobile communication in mind, but to ensure proper billing and prevent fraud. So it was just a matter of time when this vulnerability would be exploited.

The privacy of all your communication like voice calls, text messages and Internet access solely depends on an encryption key, a so called „Ki“, that is responsible for the encrypted connections between your device and the carrier’s network. Those “Ki”s are stored on a tiny chip on your SIM card alongside your phone number and other confidential data e.g. to transfer money and protect the privacy of cellphone communications across the globe. Unfortunately, having the wrong SIM card can also make you an eligable target of a drone strike, as it has been reported last year.

How can I protect myself?

The only effective way for individuals to protect themselves from Ki theft-enabled surveillance is to use secure communications software rather than relying on SIM card-based security, concludes The Intercept in its detailed report about the Gemalto heist.

Choose apps that use secure communication protocols such as Transport Layer Security (TLS) to transfer data and be sure to set that option in your email client as well.

Is it the greatest privacy heist of all times?  Tell us what you think!

UPDATE: Meanwhile, Gemalto has issued a press release about the incident with “Information regarding a report mentioning a hacking of SIM card encryption keys”.

We wish you a nice (privacy-protected) day!