Security experts are still trying to assess the effects of the reported attack on SIM card manufacturer that resulted in the theft of millions of encryption keys for mobile phones around the world, but it’s safe to say that the operation has caused reverberations throughout the industry and governments in several countries.
The attack, reported by The Intercept, is breathtaking in its scope and audacity. Attackers allegedly associated with the NSA and GCHQ, the British spy agency, were able to compromise a number of machines on the network of Gemalto, a global manufacturer of mobile SIM cards. The attackers have access to servers that hold the encryption keys for untold millions of mobile phones, allowing them to monitor the voice and data communication of those devices.
The document on which the report is based was provided by Edward Snowden, and it says in part, “Gemalto–successfully implanted several machines and believe we have their entire network…” If true, that would mean that the attackers had access to far more than just those SIM encryption keys. Gemalto officials said in a statement that they were previously unaware of this operation.
“The publication indicates the target was not Gemalto per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” the statement says.
Security researchers have said since the beginning of the NSA scandal–and before that, in some cases–that the agency and its allies have an intense interest in monitoring mobile communications. Mobile networks present different challenges than traditional computer networks do for attackers, but they are not insurmountable ones for organizations with the resources of NSA and GCHQ. Gemalto, as one of the larger SIM manufacturers on earth, would be a natural target for signals intelligence agencies, as it provides products to hundreds of wireless providers, including Verizon, AT&T and Sprint.
Bruce Schneier, CTO of CO3 Systems and a noted cryptographer, said that this operation may represent the most serious revelation of the Snowden documents.
“People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards,” Schneier said on his blog. “I think this is one of the most important Snowden stories we’ve read.”
The Gemalto revelation could have long-term effects for the technology industry and its relations with the government in the United States and UK. The relationships already have been strained by past revelations of NSA operations against infrastructure owned by companies such as Google, Yahoo and many others. This latest revelation likely won’t help matters. But White House officials aren’t worried.
“We certainly are aware of how important it is for the United States government to work with private industry; that there are a lot of situations in which our interests are pretty cleanly aligned. And there are certainly steps that the U.S. government has taken in the name of national security that some members of private industry haven’t agreed with. But I do think that there is common ground when it comes to — and this is a principle that I’ve cited before — it’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so,” Josh Earnest, White House press secretary, said during a briefing on Friday.