NSA, GHCQ Implicated In SIM Encryption Hack

First time accepted submitter BlacKSacrificE writes Australian carriers are bracing for a mass recall after it was revealed that a Dutch SIM card manufacturer Gemalto was penetrated by the GCHQ and the NSA in an alleged theft of encryption keys, allowing unfettered access to voice and text communications. The incident is suspected to have happened in 2010 and 2011 and seems to be a result of social engineering against employees, and was revealed by yet another Snowden document. Telstra, Vodafone and Optus have all stated they are waiting for further information from Gemalto before deciding a course of action. Gemalto said in a press release that they "cannot at this early stage verify the findings of the publication" and are continuing internal investigations, but considering Gemalto provides around 2 billion SIM cards to some 450 carriers across the globe (all of which use the same GSM encryption standard) the impact and fallout for Gemalto, and the affected carriers, could be huge.

Re:Fallout?

Certainly very true. Absolutely, NSA and GCHQ are at fault here.

However, these kinds of stories draw the attention of even the most idiotic of individuals. Those that only a few months ago were, without any consideration, spouting, "I don't care if the NSA sees everything I do or works to break into everything." must now stop and realize they were used and lied to, and that the work of these criminal organizations is directly damaging many companies. Various encryption or communication groups and companies have disappeared without any notice by the average person, but they will see the damage when it comes to their cell phones.

even more interesting

[Pop69]

I believe the smartcards and USB readers our bank supplies us for authentication of online transactions are supplied by Gemalto

Are they affected as well ? I would expect so

Re:even more interesting

[AmiMoJo]

Gemalto do a lot of industrial SIMs. I have used them in products designed at work. Many cars with GSM/3G connectivity use their SIMs. Many smart meters, many mobile payment terminals, many sensor networks, many medical devices.

It's the kind of thing someone could use to bring down a lot of infrastructure. I bet loads of infrastructure monitoring uses Gemalto SIMs for M2M communications. It's probably safe to assume that if GCHQ and the NSA have the keys, so do others. Considering how much leaks out of those two organizations from relatively low level operatives I'm sure China and Russia and probably a few others have at least that much access.

The UK needs to pay

This is an act of industrial espionage and infrastructure sabotage committed by one EU member against another. The UK needs to be held financially responsible for the damage, and punitive sanctions should follow. The UK should also explain how it sees its own future in the EU in the light of these revelations.

From SIM to Chip and PIN

[MeNeXT]

Now they can also prove that you were there when they emptied out your bank account. This is probably why they a refusing to provide any information on stingrays it goes way deeper than anyone thought.

It would be nice if...

[tekrat]

It would be nice if the NSA was using this technology to spy on the real terrorists; and by that I mean the people who actually do want to hurt you and steal from you -- CEOs and Large Banks.

I mean, there has not been a SINGLE prosecution in the great financial disaster of 2008, yet, I'll be there's plenty of cell phone conversations and text messages about breaking up bad mortgages into financial instruments of mass destruction, and reselling them as AAA+ rated securities.

Excuse me, but after 20 trillion dollars lost, and another 2 or so trillion given away to prop up a few banks who wanted to play along with the government (until such time that it became time to steal again); it seems to me that the NSA should be more concerned about these guys than a few rouge crazies who blow up the occasional civilian.

Re:The Danger of Monoculture

No, there are other companies such as Giesecke & Devrient (IIRC the documents show they were also targetted but without success).

But there are only a small number of them, and each mobile operator generally will get all its SIMs from just one of them since it's not in their interests to order from them all (it's more complex to manage, potentially harder to debug with multiple types of SIM in use, and probably more expensive as signing an exclusive deal will I'm sure come with a discount).

Re:Fallout?

[DarkOx]

Maybe so but we are supposed to live in a society of laws, both here in the States and in Europe. The US governments general position is Americans are always subject to American laws, and nobody is supposed to be above the law. . Kevin Mitnick did essentially the same thing, called up a manufacturer social engineered them into giving him information. The FBI was certainly on his ass, the federal prosecutors certainly pushed for and obtained a conviction.

These guys though? Nobody will even look into it on the prosecutorial side because these guys had an NSA badge on why the did it.

The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:

        This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.

Re:Fallout?

[jythie]

Though would it not be amusing if the FBI actually went after them? The departments already have animosity towards each other, though probably not enough to overcome the 'stick togetherness' of law enforcement against everyone else.