The US surveillance agency, National Security Agency (NSA) along with its British counterpart the Government Communications (GCHQ) has compromised one of the largest SIM card manufacturer’s system to steal millions of encryption keys since 2010, according to a report published in The Intercept.
Encryption keys are used to activate and encrypt communications between a user’s phone and its mobile carrier network; thus providing unrestricted gateway to the hacker if compromised. The key, called Ki, is unique to each SIM and is burned into the chip when it is manufactured. It is this identification number that allows communication between a user’s mobile and the network provider.
The intelligence agencies have stolen encryption keys from Gemalto, one of the largest SIM card and next-generation credit card providers based at The Netherlands, through remote breach of the company’s computer network. The company, producing almost 2 million cards a year, used email and File Transfer Protocol (FTP) to dispatch master key files. The surveillance agencies worked upon this insecure transfer to steal the keys through its X-Keyscore program. The spying agencies regularly used this program to access private email and Facebook accounts of employees of major telecom companies. By 2010, the number of keys stolen in one shot was frightening.
“In one two-week period, the team accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries,” according to the Intercept.
“At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they’d compiled 300,000 … A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets,” it added.
Gemalto, on its part, is investigating the claims and has stated on its website, “We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.”
Christopher Soghoian, the principal technologist for the American Civil Liberties Union, highlights the gravity of the compromised SIM card keys.
“Key theft enables the bulk, low-risk surveillance of encrypted communications,” he said.
“Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It’s like a time machine, enabling the surveillance of communications that occurred before someone was even a target,” added Soghoian.
What should you do?
While there is not much that you can do if the encryption key of your SIM card or credit card has been compromised; however, TLS supported apps for email and messaging should offer some protection. Perfect Forward Security (PFS) allows protection against SIM-key enabled surveillance. PFS generates a unique encryption key for each text, data and call, which is discarded after one use. But this approach is not yet adopted by major telecom service providers.