How Far Did the NSA Go in Alleged SIM Card Hack?
The National Security Agency (NSA) continues to hold its stance that the only way to thwart terrorist attacks and other crimes is to continue the surveillance programs exposed by Edward Snowden nearly two years ago. The latest report alleges that the NSA, along with the British government counterpart Government Communications Headquarters (GCHQ), has hacked encryption keys from SIM cards on smartphones.
Documents provided by Snowden and reported last week by The Intercept allege that the U.S. and British governments specifically were hacking into SIM cards from Gemalto, the largest provider of SIM cards, used in smartphones to store encrypted identity information. According to the report, the breach was outlined in a secret 2010 GCHQ document.
If indeed the encryption keys were stolen, it gave the agencies the ability to eavesdrop on and wiretap voice and data communications without approval from governments or wireless providers. The bulk key theft also gave the agencies the ability to decrypt communications that they had already intercepted, according to the report. The ability to do so was the result of mining communications of engineers and other Gemalto employees, the report added, noting that the company was "oblivious to the penetration of its systems."
Now Gemalto is shedding doubt on the severity of the breach. The company released a statement which did acknowledge it detected the intrusion that took place in 2010 and 2011. The findings of the investigation "give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened," according to the Gemalto statement. However, in questioning the extent of the breach, the statement said that "the attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys."
By 2010, the company said it had already implemented a secure transfer system with its customers and in only some rare instances could theft have occurred. Moreover, in many of the targeted countries at the time, many of the networks only had 2G mobile communications networks, which are inherently insecure. The modern 3G and 4G networks weren't vulnerable to such interceptions, according to the company. Gemalto said none of its other cards were affected by the attack. While the statement also pointed to some inconsistencies in the document that was leaked, including some of the customers it claimed the company worked with, Gemalto said that the SIM cards have customized encryption algorithms for each telecom provider.
For its part, the NSA is making no apologies on its surveillance policies. NSA Director Mike Rogers spoke last week at the New America Foundation's cyber security conference in Washington, D.C., where he said backdoors would not have a negative impact on privacy, weaken encryption or dampen demand for technology from the U.S.
Alex Stamos, Yahoo's chief information security officer, who was in attendance at the conference, took Rogers to task on his contention that the government has backdoors or master keys, according to The Guardian. When Stamos asked Rogers how Yahoo, which has 1.3 billion users throughout the world, could be expected to address requests for backdoors, Rogers reportedly skipped over the foreign requests, describing its overall process as "drilling a hole in a windshield. I think that this is technically feasible. Now it needs to done within a framework."
The problem is, it's unlikely that the feds will come up with a framework that will sit well with many people.
Posted by Jeffrey Schwartz on 02/25/2015 at 10:27 AM