NSA, GHCQ Implicated In SIM Encryption Hack

← Back to Stories (view on slashdot.org)

NSA, GHCQ Implicated In SIM Encryption Hack

Posted by samzenpus on Monday February 23, 2015 @04:01AM from the protect-ya-neck dept.

First time accepted submitter BlacKSacrificE writes Australian carriers are bracing for a mass recall after it was revealed that a Dutch SIM card manufacturer Gemalto was penetrated by the GCHQ and the NSA in an alleged theft of encryption keys, allowing unfettered access to voice and text communications. The incident is suspected to have happened in 2010 and 2011 and seems to be a result of social engineering against employees, and was revealed by yet another Snowden document. Telstra, Vodafone and Optus have all stated they are waiting for further information from Gemalto before deciding a course of action. Gemalto said in a press release that they "cannot at this early stage verify the findings of the publication" and are continuing internal investigations, but considering Gemalto provides around 2 billion SIM cards to some 450 carriers across the globe (all of which use the same GSM encryption standard) the impact and fallout for Gemalto, and the affected carriers, could be huge.

28 of 155 comments (clear)

Min score:

Reason:

Sort:

Fallout? by The+Rizz · 2015-02-23 04:11 · Score: 5, Insightful

the impact and fallout for Gemalto, and the affected carriers, could be huge.
Why is it that the fallout is centered on these companies, instead of on the NSA and GHCQ? Why are these criminal enterprises masquerading as government agencies so completely above the law?
1. Re:Fallout? by Anonymous Coward · 2015-02-23 04:13 · Score: 5, Insightful
  
  It would be nice to know who will pay the damages or that NSA and GHCQ can just destroy businesses as they please.
2. Re:Fallout? by Anonymous Coward · 2015-02-23 04:18 · Score: 3, Insightful
  
  sadly i think we get to see option 2 play out
3. Re:Fallout? by Anonymous Coward · 2015-02-23 04:23 · Score: 5, Interesting
  
  Certainly very true. Absolutely, NSA and GCHQ are at fault here.
  However, these kinds of stories draw the attention of even the most idiotic of individuals. Those that only a few months ago were, without any consideration, spouting, "I don't care if the NSA sees everything I do or works to break into everything." must now stop and realize they were used and lied to, and that the work of these criminal organizations is directly damaging many companies. Various encryption or communication groups and companies have disappeared without any notice by the average person, but they will see the damage when it comes to their cell phones.
4. Re:Fallout? by gl4ss · 2015-02-23 04:26 · Score: 3, Insightful
  
  or create businesses without public bidding process, selling dubious equpment to them, for which they provide the possibility to manufacture them..
  oh wait they can and will and have done exactly that.
  
  --
  world was created 5 seconds before this post as it is.
5. Re:Fallout? by AmiMoJo · 2015-02-23 04:52 · Score: 3, Insightful
  
  Belgian telecoms companies have already started legal proceedings against GCHQ. I hope Gemalto do as well. Even if it comes to nothing it's still one of the best (only) options we have to try to control them.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:Fallout? by fuzzyfuzzyfungus · 2015-02-23 05:04 · Score: 3, Insightful
  
  Some mixture of pragmatism and the victim blaming, I imagine.
  
  Given that, operationally speaking, the NSA and GHCQ, and friends, are above the law(where it hasn't been modified to simply make what they do legal, because it's them doing it); your only real option is to start assessing providers of security-critical products and services according to the "Were a dangerously out-of-control clandestine entity to come knocking, would you be fucked or really fucked?" standard.
  
  It is obviously Bad that you need to ask that question; but, since you do, you at least want the answer to be reassuring. Given that, according to what we know so far, the production process for SIMs involved Gemalto burning (insecurely transmitted) Kis in, at the factory, it looks like the production process is dangerously weak against tampering. As with the RSA seed storage/hack fiasco, it looks like that is going to have to change, with the vital secrets either stored a lot more carefully, or, ideally, generated on-SIM and never leaving the SIM during its operational life, short of a direct silicon-level attack.
7. Re:Fallout? by DarkOx · 2015-02-23 06:10 · Score: 3, Interesting
  
  Maybe so but we are supposed to live in a society of laws, both here in the States and in Europe. The US governments general position is Americans are always subject to American laws, and nobody is supposed to be above the law. . Kevin Mitnick did essentially the same thing, called up a manufacturer social engineered them into giving him information. The FBI was certainly on his ass, the federal prosecutors certainly pushed for and obtained a conviction.
  These guys though? Nobody will even look into it on the prosecutorial side because these guys had an NSA badge on why the did it.
  
  The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:
  This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
  
  There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
8. Re:Fallout? by jythie · 2015-02-23 06:32 · Score: 3, Interesting
  
  Though would it not be amusing if the FBI actually went after them? The departments already have animosity towards each other, though probably not enough to overcome the 'stick togetherness' of law enforcement against everyone else.
Damages by Anonymous Coward · 2015-02-23 04:11 · Score: 5, Insightful

So who does Gemalto sue when the bankrupting recall they are forced to do is the result of a government approved hack?
1. Re:Damages by AmiMoJo · 2015-02-23 05:49 · Score: 4, Insightful
  
  How would they ever prove it? The stolen documents will be inadmissible. Everything will be protected as a state secret. Their customers won't care of course, but the courts will.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Taxpayers by Anonymous Coward · 2015-02-23 04:14 · Score: 5, Insightful

So, not only do we fund the hack, but now we need to fund the compensation for it.
Wonderful job.
1. Re:Taxpayers by transporter_ii · 2015-02-23 04:29 · Score: 5, Insightful
  
  They want to know what you are saying, and they are willing to spend every penny you have to find out. And then some.
  
  --
  Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
We're Number 1! We're Number 1! by Anonymous Coward · 2015-02-23 04:29 · Score: 5, Insightful

Welcome to the USSA. Just like the old USSR, with better technology.
Corruption == Treason by Anonymous Coward · 2015-02-23 04:30 · Score: 4, Funny

Time to start treating it as such, use your backwards antiquated capital punishment laws for something productive for a change.
Sanctions by Anonymous Coward · 2015-02-23 04:31 · Score: 5, Insightful

The world should introduce trade-sanctions against the USA and the UK, until they stop attacking other countries, and fall in line.
1. Re:Sanctions by jabuzz · 2015-02-23 04:46 · Score: 3, Insightful
  
  Except in the case of the U.K. trade sanctions from other E.U. member states are simply not permissible. I would also doubt the USA would introduce sanctions against the UK on this one, and E.U. sanctions against the USA would require approval from the UK which I doubt they are going to give. That's 45% of the worlds GDP locked in right there.
  Good luck on that plan.
Even if the courts punish US/UK by EmagGeek · 2015-02-23 04:32 · Score: 4, Insightful

The governments will simply say "come and take it, if you can."
Re:I think I speak for everyone when I say by fisted · 2015-02-23 04:34 · Score: 4, Funny

Oh come on, how would that even work? It's one and the same person.

--
CLI paste? paste.pr0.tips!
even more interesting by Pop69 · 2015-02-23 04:42 · Score: 4, Interesting

I believe the smartcards and USB readers our bank supplies us for authentication of online transactions are supplied by Gemalto

Are they affected as well ? I would expect so
1. Re:even more interesting by ledow · 2015-02-23 04:48 · Score: 4, Insightful
  
  Gemalto do the majority of the smartcard market these days.
  I've used them for everything for business banking to access control.
  Is it not scary enough that they have been compromised to the point of making almost every SIM on the planet useless? By comparison a banking smartcard here or there is nothing.
  Ironically, every few months our bank will tell us that we have to replace the PIN-pads/smartcards/whatever for a newer model "to be secure". Nobody's yet answered then why their software only works on IE (and older versions at that).
2. Re:even more interesting by AmiMoJo · 2015-02-23 04:57 · Score: 4, Interesting
  
  Gemalto do a lot of industrial SIMs. I have used them in products designed at work. Many cars with GSM/3G connectivity use their SIMs. Many smart meters, many mobile payment terminals, many sensor networks, many medical devices.
  It's the kind of thing someone could use to bring down a lot of infrastructure. I bet loads of infrastructure monitoring uses Gemalto SIMs for M2M communications. It's probably safe to assume that if GCHQ and the NSA have the keys, so do others. Considering how much leaks out of those two organizations from relatively low level operatives I'm sure China and Russia and probably a few others have at least that much access.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:even more interesting by oodaloop · 2015-02-23 05:57 · Score: 4, Informative
  
  And our Smart Cards we use on classified networks in the intelligence community use Gemalto. Just checked. Goddamnit.
  
  I'm not even kidding. Seriously.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
The UK needs to pay by Anonymous Coward · 2015-02-23 04:56 · Score: 5, Interesting

This is an act of industrial espionage and infrastructure sabotage committed by one EU member against another. The UK needs to be held financially responsible for the damage, and punitive sanctions should follow. The UK should also explain how it sees its own future in the EU in the light of these revelations.
Re:I think I speak for everyone when I say by fuzzyfuzzyfungus · 2015-02-23 04:58 · Score: 4, Funny

Just ask the Holy Spirit, he's consubstantial with both the Son and the Father; despite begetting the son(yet not being the father).
From SIM to Chip and PIN by MeNeXT · 2015-02-23 05:12 · Score: 4, Interesting

Now they can also prove that you were there when they emptied out your bank account. This is probably why they a refusing to provide any information on stingrays it goes way deeper than anyone thought.

--
DRM? No thanks, I'll just get it somewhere else...
pot, f#&* kettle by chilenexus · 2015-02-23 05:26 · Score: 3, Insightful

How much are these agencies/countries now going to expect to be taken seriously when they find that China, Korea, Japan, Russia, or Lesotho have embedded some form of spyware in the electronics they sell us, and make an attempt to shame them for it or claim damages? They'll just roll along and do what they were doing before because they don't see any difference from how we treated them when we weren't at odds with them. The world has just been handed yet another example of how Brits and Americans can't be trusted, and actually deserve to be spied upon and stolen from. The fourth amendment shouldn't stop at our borders, since it is a limitation placed on government, not a perk that is only given to citizens. If you read it, it says "the rights of the people...." There's a similar concept in English Common Law: http://en.wikipedia.org/wiki/F...
It would be nice if... by tekrat · 2015-02-23 05:39 · Score: 4, Interesting

It would be nice if the NSA was using this technology to spy on the real terrorists; and by that I mean the people who actually do want to hurt you and steal from you -- CEOs and Large Banks.
I mean, there has not been a SINGLE prosecution in the great financial disaster of 2008, yet, I'll be there's plenty of cell phone conversations and text messages about breaking up bad mortgages into financial instruments of mass destruction, and reselling them as AAA+ rated securities.
Excuse me, but after 20 trillion dollars lost, and another 2 or so trillion given away to prop up a few banks who wanted to play along with the government (until such time that it became time to steal again); it seems to me that the NSA should be more concerned about these guys than a few rouge crazies who blow up the occasional civilian.

--
If telephones are outlawed, then only outlaws will have telephones.