Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA, GHCQ Implicated In SIM Encryption Hack

Posted by samzenpus on from the protect-ya-neck dept.

First time accepted submitter BlacKSacrificE writes Australian carriers are bracing for a mass recall after it was revealed that a Dutch SIM card manufacturer Gemalto was penetrated by the GCHQ and the NSA in an alleged theft of encryption keys, allowing unfettered access to voice and text communications. The incident is suspected to have happened in 2010 and 2011 and seems to be a result of social engineering against employees, and was revealed by yet another Snowden document. Telstra, Vodafone and Optus have all stated they are waiting for further information from Gemalto before deciding a course of action. Gemalto said in a press release that they "cannot at this early stage verify the findings of the publication" and are continuing internal investigations, but considering Gemalto provides around 2 billion SIM cards to some 450 carriers across the globe (all of which use the same GSM encryption standard) the impact and fallout for Gemalto, and the affected carriers, could be huge.

42 of 155 comments (clear)

  1. Fallout? by The+Rizz · · Score: 5, Insightful

    the impact and fallout for Gemalto, and the affected carriers, could be huge.

    Why is it that the fallout is centered on these companies, instead of on the NSA and GHCQ? Why are these criminal enterprises masquerading as government agencies so completely above the law?

    1. Re:Fallout? by Anonymous Coward · · Score: 5, Insightful

      It would be nice to know who will pay the damages or that NSA and GHCQ can just destroy businesses as they please.

    2. Re:Fallout? by Anonymous Coward · · Score: 3, Insightful

      sadly i think we get to see option 2 play out

    3. Re:Fallout? by Mordok-DestroyerOfWo · · Score: 2

      No shit! Given the resources of both agencies, it would be trivial for them to come into my workplace and abscond with out signing keys. Just like with lawyers and the business world, a bottomless well of money will typically get you whatever it is that you're looking for.

      --
      "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
    4. Re:Fallout? by Anonymous Coward · · Score: 5, Interesting

      Certainly very true. Absolutely, NSA and GCHQ are at fault here.

      However, these kinds of stories draw the attention of even the most idiotic of individuals. Those that only a few months ago were, without any consideration, spouting, "I don't care if the NSA sees everything I do or works to break into everything." must now stop and realize they were used and lied to, and that the work of these criminal organizations is directly damaging many companies. Various encryption or communication groups and companies have disappeared without any notice by the average person, but they will see the damage when it comes to their cell phones.

    5. Re:Fallout? by gl4ss · · Score: 3, Insightful

      or create businesses without public bidding process, selling dubious equpment to them, for which they provide the possibility to manufacture them..

      oh wait they can and will and have done exactly that.

      --
      world was created 5 seconds before this post as it is.
    6. Re:Fallout? by AmiMoJo · · Score: 3, Insightful

      Belgian telecoms companies have already started legal proceedings against GCHQ. I hope Gemalto do as well. Even if it comes to nothing it's still one of the best (only) options we have to try to control them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Fallout? by fuzzyfuzzyfungus · · Score: 3, Insightful

      Some mixture of pragmatism and the victim blaming, I imagine.

      Given that, operationally speaking, the NSA and GHCQ, and friends, are above the law(where it hasn't been modified to simply make what they do legal, because it's them doing it); your only real option is to start assessing providers of security-critical products and services according to the "Were a dangerously out-of-control clandestine entity to come knocking, would you be fucked or really fucked?" standard.

      It is obviously Bad that you need to ask that question; but, since you do, you at least want the answer to be reassuring. Given that, according to what we know so far, the production process for SIMs involved Gemalto burning (insecurely transmitted) Kis in, at the factory, it looks like the production process is dangerously weak against tampering. As with the RSA seed storage/hack fiasco, it looks like that is going to have to change, with the vital secrets either stored a lot more carefully, or, ideally, generated on-SIM and never leaving the SIM during its operational life, short of a direct silicon-level attack.

    8. Re:Fallout? by fustakrakich · · Score: 2

      Because 98% of those who vote give their consent. We knew what these people were doing since before the Church Commission, yet the voters continue to reelect the perpetrators. Don't blame the government for doing what it is told by the voting public.

      And please save your breath with the 'lack of choices' and 'lesser evil' bullshit. I ain't hearing it! We did this to ourselves. There is nobody else to blame.

      --
      “He’s not deformed, he’s just drunk!”
    9. Re:Fallout? by DarkOx · · Score: 3, Interesting

      Maybe so but we are supposed to live in a society of laws, both here in the States and in Europe. The US governments general position is Americans are always subject to American laws, and nobody is supposed to be above the law. . Kevin Mitnick did essentially the same thing, called up a manufacturer social engineered them into giving him information. The FBI was certainly on his ass, the federal prosecutors certainly pushed for and obtained a conviction.

      These guys though? Nobody will even look into it on the prosecutorial side because these guys had an NSA badge on why the did it.

      The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:

              This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

      There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    10. Re:Fallout? by jythie · · Score: 3, Interesting

      Though would it not be amusing if the FBI actually went after them? The departments already have animosity towards each other, though probably not enough to overcome the 'stick togetherness' of law enforcement against everyone else.

  2. Damages by Anonymous Coward · · Score: 5, Insightful

    So who does Gemalto sue when the bankrupting recall they are forced to do is the result of a government approved hack?

    1. Re:Damages by AmiMoJo · · Score: 4, Insightful

      How would they ever prove it? The stolen documents will be inadmissible. Everything will be protected as a state secret. Their customers won't care of course, but the courts will.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Damages by CaptainDork · · Score: 2

      This is not true, and it's crucial to understand why.

      In this context, "Constitution," is American-centric.

      It does not apply to the Dutch.

      The venue of law will have to start with the provenance of the Dutch company (is it owned by the Chinese?) and jurisdictions established before litigation can move forward.

      --
      It little behooves the best of us to comment on the rest of us.
  3. Taxpayers by Anonymous Coward · · Score: 5, Insightful

    So, not only do we fund the hack, but now we need to fund the compensation for it.

    Wonderful job.

    1. Re:Taxpayers by transporter_ii · · Score: 5, Insightful

      They want to know what you are saying, and they are willing to spend every penny you have to find out. And then some.

      --
      Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  4. We're Number 1! We're Number 1! by Anonymous Coward · · Score: 5, Insightful

    Welcome to the USSA. Just like the old USSR, with better technology.

  5. Corruption == Treason by Anonymous Coward · · Score: 4, Funny

    Time to start treating it as such, use your backwards antiquated capital punishment laws for something productive for a change.

    1. Re:Corruption == Treason by fuzzyfuzzyfungus · · Score: 2

      As much as I agree that white collar criminals and spooks are tragically under-executed, and would love to change that, the US constitution (very wisely) includes a comparatively precise and narrow definition of 'treason'. Our 'founding fathers' included some fairly shitty people; but they were mostly shitty people who knew a thing or two about how governments go bad, and that 'treason' is a...delightfully elastic...charge. Thus, they did their best to ensure that it wouldn't be one here.

      There are plenty of other things that they should probably be judged guilty of, and which should probably be capital offenses; but 'treason' is something that you just shouldn't throw around lightly.

  6. Sanctions by Anonymous Coward · · Score: 5, Insightful

    The world should introduce trade-sanctions against the USA and the UK, until they stop attacking other countries, and fall in line.

    1. Re:Sanctions by jabuzz · · Score: 3, Insightful

      Except in the case of the U.K. trade sanctions from other E.U. member states are simply not permissible. I would also doubt the USA would introduce sanctions against the UK on this one, and E.U. sanctions against the USA would require approval from the UK which I doubt they are going to give. That's 45% of the worlds GDP locked in right there.

      Good luck on that plan.

    2. Re:Sanctions by mitcheli · · Score: 2

      And would the same trade-sanctions be applied to France, Russia, China, North Korea, Canada, South Korea, Germany, Spain, Iran, Norway, Sweden, South Africa, Australia, Egypt, Israel, Syria, and the Federated States of Micronesia? (ok, took some liberties on that last one).

      --
      Select from tblFriends where interesting >= 4;
  7. Even if the courts punish US/UK by EmagGeek · · Score: 4, Insightful

    The governments will simply say "come and take it, if you can."

  8. Re:I think I speak for everyone when I say by fisted · · Score: 4, Funny

    Oh come on, how would that even work? It's one and the same person.

    --
    CLI paste? paste.pr0.tips!
  9. There have been enough of these headlines by Anonymous Coward · · Score: 2, Funny

    So its probably about time we shut down the NSA right? They seem to be completely out of control and I'm not sure what they're actually accomplishing.

  10. even more interesting by Pop69 · · Score: 4, Interesting

    I believe the smartcards and USB readers our bank supplies us for authentication of online transactions are supplied by Gemalto

    Are they affected as well ? I would expect so

    1. Re:even more interesting by ledow · · Score: 4, Insightful

      Gemalto do the majority of the smartcard market these days.

      I've used them for everything for business banking to access control.

      Is it not scary enough that they have been compromised to the point of making almost every SIM on the planet useless? By comparison a banking smartcard here or there is nothing.

      Ironically, every few months our bank will tell us that we have to replace the PIN-pads/smartcards/whatever for a newer model "to be secure". Nobody's yet answered then why their software only works on IE (and older versions at that).

    2. Re:even more interesting by AmiMoJo · · Score: 4, Interesting

      Gemalto do a lot of industrial SIMs. I have used them in products designed at work. Many cars with GSM/3G connectivity use their SIMs. Many smart meters, many mobile payment terminals, many sensor networks, many medical devices.

      It's the kind of thing someone could use to bring down a lot of infrastructure. I bet loads of infrastructure monitoring uses Gemalto SIMs for M2M communications. It's probably safe to assume that if GCHQ and the NSA have the keys, so do others. Considering how much leaks out of those two organizations from relatively low level operatives I'm sure China and Russia and probably a few others have at least that much access.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:even more interesting by oodaloop · · Score: 4, Informative

      And our Smart Cards we use on classified networks in the intelligence community use Gemalto. Just checked. Goddamnit.

      I'm not even kidding. Seriously.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    4. Re:even more interesting by mitcheli · · Score: 2

      Gemalto is also a major supplier of US Government Common Access Cards (CAC's).

      --
      Select from tblFriends where interesting >= 4;
  11. The UK needs to pay by Anonymous Coward · · Score: 5, Interesting

    This is an act of industrial espionage and infrastructure sabotage committed by one EU member against another. The UK needs to be held financially responsible for the damage, and punitive sanctions should follow. The UK should also explain how it sees its own future in the EU in the light of these revelations.

  12. Re:I think I speak for everyone when I say by fuzzyfuzzyfungus · · Score: 4, Funny

    Just ask the Holy Spirit, he's consubstantial with both the Son and the Father; despite begetting the son(yet not being the father).

  13. From SIM to Chip and PIN by MeNeXT · · Score: 4, Interesting

    Now they can also prove that you were there when they emptied out your bank account. This is probably why they a refusing to provide any information on stingrays it goes way deeper than anyone thought.

    --
    DRM? No thanks, I'll just get it somewhere else...
  14. The Danger of Monoculture by ISoldat53 · · Score: 2

    Is Gemalto the only provider of these cards?

    1. Re:The Danger of Monoculture by Anonymous Coward · · Score: 2, Interesting

      No, there are other companies such as Giesecke & Devrient (IIRC the documents show they were also targetted but without success).

      But there are only a small number of them, and each mobile operator generally will get all its SIMs from just one of them since it's not in their interests to order from them all (it's more complex to manage, potentially harder to debug with multiple types of SIM in use, and probably more expensive as signing an exclusive deal will I'm sure come with a discount).

  15. Encrypt all the things by ControlsGeek · · Score: 2

    Why is it that each subscriber cannot select their own encryption keys at the time of activation or any time thereafter?

    1. Re:Encrypt all the things by HiThere · · Score: 2

      Yeah, but most people would use "password" as their password.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  16. pot, f#&* kettle by chilenexus · · Score: 3, Insightful

    How much are these agencies/countries now going to expect to be taken seriously when they find that China, Korea, Japan, Russia, or Lesotho have embedded some form of spyware in the electronics they sell us, and make an attempt to shame them for it or claim damages? They'll just roll along and do what they were doing before because they don't see any difference from how we treated them when we weren't at odds with them. The world has just been handed yet another example of how Brits and Americans can't be trusted, and actually deserve to be spied upon and stolen from. The fourth amendment shouldn't stop at our borders, since it is a limitation placed on government, not a perk that is only given to citizens. If you read it, it says "the rights of the people...." There's a similar concept in English Common Law: http://en.wikipedia.org/wiki/F...

  17. It would be nice if... by tekrat · · Score: 4, Interesting

    It would be nice if the NSA was using this technology to spy on the real terrorists; and by that I mean the people who actually do want to hurt you and steal from you -- CEOs and Large Banks.

    I mean, there has not been a SINGLE prosecution in the great financial disaster of 2008, yet, I'll be there's plenty of cell phone conversations and text messages about breaking up bad mortgages into financial instruments of mass destruction, and reselling them as AAA+ rated securities.

    Excuse me, but after 20 trillion dollars lost, and another 2 or so trillion given away to prop up a few banks who wanted to play along with the government (until such time that it became time to steal again); it seems to me that the NSA should be more concerned about these guys than a few rouge crazies who blow up the occasional civilian.

    --
    If telephones are outlawed, then only outlaws will have telephones.
  18. The corruption is FAR worse than usually discussed by Anonymous Coward · · Score: 2, Informative

    The problems with corruption in the U.S. government are numerous and severe.

    Matt Taibbi gives a huge amount of detail about the collapse of U.S. society as we have known it: The Divide. Quoting from the Amazon web page: "New York Times bestseller -- Named one of the best books of the year by the Washington Post, NPR, and Kirkus Reviews".

    The book, House of Bush, House of Saud by Craig Unger, tells how Bush and Cheney started a war so that they could make money. One of hundreds of books and articles about the profits and violence and dishonesty: Cheney's Halliburton Made $39.5 Billion on Iraq War. Quoting: "Private or publicly listed firms received at least $138 billion of U.S. taxpayer money for government contracts for services that included providing private security, building infrastructure and feeding the troops."

    #1 Best Seller: America's Bitter Pill: Money, Politics, Back-Room Deals, and the Fight to Fix Our Broken Healthcare System.

    Here is part of a transcript of a 60 Minutes show: Dissecting Obamacare:

    "Brill argues that Obamacare is the product of what he calls an "orgy of lobbying" and backroom deals in which just about everyone with a stake in the $3-trillion-a-year health industry came out ahead - except the taxpayers.

    "Steven Brill: Good news: More people are gonna get health care. Bad news: We have no way in the world that we're gonna be able to pay for it.

    "Steven Brill says that the outrage is what the Affordable Care Act doesn't do.

    "Steven Brill: It doesn't do anything on medical malpractice reform. It doesn't do anything to control drug prices. It doesn't do anything to control hospital profits.

    "Lesley Stahl: So all the cost controlling side of this just went by the wayside?

    "Steven Brill: 99 percent of it."

  19. I don't care, I have a Jolla... by fonske · · Score: 2

    The day after I got my Jolla, my provider (Belgacom) had already installed an app (proximenu) to "service me better" with money transfer services. Very safe services, encrypted by...Gemalto SIM cards. Encryption through legal proceedings - another Belgian invention.

  20. Re:I think I speak for everyone when I say by jythie · · Score: 2

    It is generally less that people are authoritarian, and more that they fear who might be voted in if they do not go for their least disliked candidate. People are pretty easy to scare with abstract 'if you vote for X, then Y wins!' culture war stuff, so much so that it takes precedent over other more real concerns.