Not as secure as it SIMs

simIf you knew, or cared, anything about the way your mobile phone communicates with the mobile network, you may have believed that your calls were secure and private, at least as far as the core of your provider’s network. They should be, too, if you’re on a 3G or 4G network: the SIM in your phone includes encryption keys known only to it and the mobile provider, and these are used to encode the voice and text traffic so that anyone snooping on the radio signal, or on the backhaul network between the base station and the provider’s headquarters, would not be able to make head or tail of the stream of bytes flowing by. To do so on any scale would need vast amounts of computing power.

However, if this article in The Intercept, The Great SIM Heist, is correct, the NSA and GCHQ have a much better approach. To quote the article:

Adi Shamir famously asserted: “Cryptography is typically bypassed, not penetrated.” In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force.

So that’s what they allegedly did, according to the latest revelations from Ed Snowden: they hacked into the networks of the SIM card manufacturers, most notably Gemalto, the largest in this field and a supplier to 450 mobile providers around the world, and just stole copies of the keys before they were shipped to the mobile providers. They focused on the activities of employees who used email encryption and those exploring more secure methods of file transfer, since they were more likely to have valuable information to hide.

Perhaps the most shocking thing about these thoroughly illegal activities is that the companies and individuals targeted were not in any way assumed to be engaged in illicit activities. They were innocents going about their daily business, but they just had information that was of potential use to the authorities.

Snowden’s information is from 2009/10, so it is to be presumed that this has been going on for some time. Meanwhile, this is what it did to poor old Gemalto’s stock price when the news came out a couple of days ago:

gemalto

Got Something To Say:

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax

*

© Copyright Quentin Stafford-Fraser