Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA, GHCQ Implicated In SIM Encryption Hack

Posted by samzenpus on from the protect-ya-neck dept.

First time accepted submitter BlacKSacrificE writes Australian carriers are bracing for a mass recall after it was revealed that a Dutch SIM card manufacturer Gemalto was penetrated by the GCHQ and the NSA in an alleged theft of encryption keys, allowing unfettered access to voice and text communications. The incident is suspected to have happened in 2010 and 2011 and seems to be a result of social engineering against employees, and was revealed by yet another Snowden document. Telstra, Vodafone and Optus have all stated they are waiting for further information from Gemalto before deciding a course of action. Gemalto said in a press release that they "cannot at this early stage verify the findings of the publication" and are continuing internal investigations, but considering Gemalto provides around 2 billion SIM cards to some 450 carriers across the globe (all of which use the same GSM encryption standard) the impact and fallout for Gemalto, and the affected carriers, could be huge.

18 of 155 comments (clear)

  1. I think I speak for everyone when I say by Anonymous Coward · · Score: 1, Insightful

    jesus fucking christ.

  2. Fallout? by The+Rizz · · Score: 5, Insightful

    the impact and fallout for Gemalto, and the affected carriers, could be huge.

    Why is it that the fallout is centered on these companies, instead of on the NSA and GHCQ? Why are these criminal enterprises masquerading as government agencies so completely above the law?

    1. Re:Fallout? by Anonymous Coward · · Score: 5, Insightful

      It would be nice to know who will pay the damages or that NSA and GHCQ can just destroy businesses as they please.

    2. Re:Fallout? by Anonymous Coward · · Score: 3, Insightful

      sadly i think we get to see option 2 play out

    3. Re:Fallout? by gl4ss · · Score: 3, Insightful

      or create businesses without public bidding process, selling dubious equpment to them, for which they provide the possibility to manufacture them..

      oh wait they can and will and have done exactly that.

      --
      world was created 5 seconds before this post as it is.
    4. Re:Fallout? by AmiMoJo · · Score: 3, Insightful

      Belgian telecoms companies have already started legal proceedings against GCHQ. I hope Gemalto do as well. Even if it comes to nothing it's still one of the best (only) options we have to try to control them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:Fallout? by fuzzyfuzzyfungus · · Score: 3, Insightful

      Some mixture of pragmatism and the victim blaming, I imagine.

      Given that, operationally speaking, the NSA and GHCQ, and friends, are above the law(where it hasn't been modified to simply make what they do legal, because it's them doing it); your only real option is to start assessing providers of security-critical products and services according to the "Were a dangerously out-of-control clandestine entity to come knocking, would you be fucked or really fucked?" standard.

      It is obviously Bad that you need to ask that question; but, since you do, you at least want the answer to be reassuring. Given that, according to what we know so far, the production process for SIMs involved Gemalto burning (insecurely transmitted) Kis in, at the factory, it looks like the production process is dangerously weak against tampering. As with the RSA seed storage/hack fiasco, it looks like that is going to have to change, with the vital secrets either stored a lot more carefully, or, ideally, generated on-SIM and never leaving the SIM during its operational life, short of a direct silicon-level attack.

  3. Damages by Anonymous Coward · · Score: 5, Insightful

    So who does Gemalto sue when the bankrupting recall they are forced to do is the result of a government approved hack?

    1. Re:Damages by AmiMoJo · · Score: 4, Insightful

      How would they ever prove it? The stolen documents will be inadmissible. Everything will be protected as a state secret. Their customers won't care of course, but the courts will.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Taxpayers by Anonymous Coward · · Score: 5, Insightful

    So, not only do we fund the hack, but now we need to fund the compensation for it.

    Wonderful job.

    1. Re:Taxpayers by transporter_ii · · Score: 5, Insightful

      They want to know what you are saying, and they are willing to spend every penny you have to find out. And then some.

      --
      Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  5. Blackphone by neilo_1701D · · Score: 1, Insightful

    And so everyone who moved to Blackphone for security purposes... who's to say the same thing can't / didn't happen?

  6. We're Number 1! We're Number 1! by Anonymous Coward · · Score: 5, Insightful

    Welcome to the USSA. Just like the old USSR, with better technology.

  7. Sanctions by Anonymous Coward · · Score: 5, Insightful

    The world should introduce trade-sanctions against the USA and the UK, until they stop attacking other countries, and fall in line.

    1. Re:Sanctions by jabuzz · · Score: 3, Insightful

      Except in the case of the U.K. trade sanctions from other E.U. member states are simply not permissible. I would also doubt the USA would introduce sanctions against the UK on this one, and E.U. sanctions against the USA would require approval from the UK which I doubt they are going to give. That's 45% of the worlds GDP locked in right there.

      Good luck on that plan.

  8. Even if the courts punish US/UK by EmagGeek · · Score: 4, Insightful

    The governments will simply say "come and take it, if you can."

  9. Re:even more interesting by ledow · · Score: 4, Insightful

    Gemalto do the majority of the smartcard market these days.

    I've used them for everything for business banking to access control.

    Is it not scary enough that they have been compromised to the point of making almost every SIM on the planet useless? By comparison a banking smartcard here or there is nothing.

    Ironically, every few months our bank will tell us that we have to replace the PIN-pads/smartcards/whatever for a newer model "to be secure". Nobody's yet answered then why their software only works on IE (and older versions at that).

  10. pot, f#&* kettle by chilenexus · · Score: 3, Insightful

    How much are these agencies/countries now going to expect to be taken seriously when they find that China, Korea, Japan, Russia, or Lesotho have embedded some form of spyware in the electronics they sell us, and make an attempt to shame them for it or claim damages? They'll just roll along and do what they were doing before because they don't see any difference from how we treated them when we weren't at odds with them. The world has just been handed yet another example of how Brits and Americans can't be trusted, and actually deserve to be spied upon and stolen from. The fourth amendment shouldn't stop at our borders, since it is a limitation placed on government, not a perk that is only given to citizens. If you read it, it says "the rights of the people...." There's a similar concept in English Common Law: http://en.wikipedia.org/wiki/F...