The Week: The End of Mobile Security

Story of the week has undoubtedly been the revelation – again courtesy of Edward Snowden – that the United States' National Security Agency (NSA) and the United Kingdom’s Government Communications Headquarters (GCHQ) in 2010 stole a very large number of mobile SIM encryption keys.

They did this by hacking into the IT systems of Gemalto, the world’s largest manufacturer of SIM cards, and monitoring and intercepting the communications of its employees. Gemalto produces about two billion SIM cards annually, supplying over 450 of the world’s top telcos, including US giants AT&T, T-Mobile and Verizon. Closer to home, Gemalto customers include Telstra, Optus and Vodafone, which means that pretty much every Australian mobile user could be affected.

Obtaining these keys enables the NSA and GCHQ to monitor large portions of the world’s mobile communications, including both voice and data. They can also access any personal data stored on the SIM. Furthermore, having these keys obviates the needs for complicated interception techniques, and removes the inherent limitations of wire-tapping.

SIM encryption is fairly simple, involving a basic key exchange. The key is kept on the SIM itself, and by your telco. These are checked against each other whenever the SIM is used for transmission. It is a system that remains secure only so long as the secret keys aren’t obtained by a third party, which of course they have been. 

It has of course been done without any form of warrant: since the keys were stolen in the first place, it’s not as though the agencies involved were particularly bothered with legality. Nor were they likely to be caught, since interception via these methods leaves little trace on the actual network.

In the event that a telco did detect traces of snooping, the leaked documents also revealed that GCHQ has the capacity to alter billing data to remove evidence of spying.

It is unclear whether all compromised SIMs will need to be recalled. Telstra and Optus have both said they are awaiting further advice from Gemalto. If the SIMs do need to be recalled, it will entail an enormous – if not unprecedented – disruption to national telecommunications. I will update this post as more news comes to hand.

[UPDATE] Vodafone Australia has issued a statement, saying that they "have no evidence that any Vodafone Australia customers’ SIMs have been compromised."

Gemalto meanwhile insists that its systems are secure. (Then again, it also said that it didn’t expect there to be any financial downturn following these revelations. Its share value plummeted to the tune of a half billion dollars following the revelation, and has not recovered.)

The full story first appeared on The Intercept, a website mainly devoted to properly publishing the documents leaked by Edward Snowden. We encourage you to read the full story. As it makes clear: “Gaining access to a database of keys is pretty much game over for cellular encryption.”

[UPDATE] Gemalto's investigation has concluded that while their systems were compromised in 2010, the size of the theft has been "greatly exaggerated." Meanwhile The Intercept has responded, quoting one expert that "This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all."

Staying with Snowden for the moment, he yesterday appeared in an AMA (Ask Me Anything) on Reddit, alongside journalist Glenn Greenwald and Laura Poitras, director of the Oscar winningCitizenfour. All three were articulate and forthcoming, and it really is a must read. So read it here.