The Intercept is reporting this morning that US and UK spies broke into the internal network of Gemalto, the largest SIM card manufacturer in the world and stole the encryption keys used by the manufacturer. SIM cards are designed to protect the privacy of cellphone conversations, among other things. The reporting is based on documents provided by Edward Snowden, and the breach was described in a document written in 2010.
So, as a beginning point, you can safely assume that your mobile phone privacy was breached over four years ago.
Here are more details:
Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”
* * *
The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”
SIM cards were not primarily designed to protect privacy, but instead were by cell phone companies to limit fraudulent use of their networks.
SIM cards were not invented to protect individual communications — they were designed to do something much simpler: ensure proper billing and prevent fraud, which was pervasive in the early days of cellphones. Soghoian compares the use of encryption keys on SIM cards to the way Social Security numbers are used today. “Social security numbers were designed in the 1930s to track your contributions to your government pension,” he says. “Today they are used as a quasi national identity number, which was never their intended purpose.”
Because the SIM card wasn’t created with call confidentiality in mind, the manufacturers and wireless carriers don’t make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. “I doubt anyone is treating those things very carefully,” says Green. “Cell companies probably don’t treat them as essential security tokens. They probably just care that nobody is defrauding their networks.” The ACLU’s Soghoian adds, “These keys are so valuable that it makes sense for intel agencies to go after them.”
Much more from The Intercept here.
Steal millions of crypto keys and then complain publicly that encryption is a problem. The UK and US govs are shameless.
— Christopher Soghoian (@csoghoian) February 19, 2015
— Noah Shachtman (@NoahShachtman) February 19, 2015
Perhaps the biggest Snowden revelation yet, genuinely shocking criminal theft of SIM CODES by NSA & GCHQ https://t.co/aZe1QqTZZ1
— John Perry Barlow (@JPBarlow) February 19, 2015