The world's largest SIM card producer, Gemalto, says it was unaware of any security breach but is investigating a report that spy agencies stole its encryption keys to access mobile communications -- both voice and data -- without alerting the users, networks or governments of any activity.
Revelations from Edward Snowden detail how a joint operation between National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ) illegally accessed a large proportion of the world's cellular conversations by hacking into Gemalto's systems, seemingly undetected.
"We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation," the company said in a statement today. "We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques."
It is unclear how many phones were accessed, but Gemalto produces more than 2 billion SIM cards every year. The company is incorporated in the Netherlands and operates in 85 countries. It counts AT&T, Verizon, Sprint and T-Mobile among its 450 clients of wireless network providers around the world. The stolen keys allowed the agencies to unlock communications that had been previously intercepted but were protected by encryption.
According to a secret GCHQ slide acquired by Snowden, the British spies planted malware on Gemalto's internal computers giving them access to their entire network. The operation also targeted individual network providers allowing the agencies to access customer information and suppress billing charges to disguise any secret tracking of an individual's phone. Notes accompanying the slide show GCHQ boasting about having Gemalto's entire network.
The operation was run by the previously unknown Mobile Handset Exploitation Team (MHET), made up of agents from both the NSA and GCHQ which was formed in 2010 to specifically target vulnerabilities in mobile phones. The report details how MHET accessed the system by targeting individual Gemalto and network provider employees. Using the NSA's X-KEYSCORE program they were able to access private emails hosted by the SIM card producer and its clients' servers.
When a SIM card is made a "Ki" encryption key is burned onto the microchip before shipping. A copy of the key is also sent to the network provider allowing its network to recognize the customer's phone. The encryption key on a newly activated SIM must match the records of the service providers before that phone can connect to the network. MHET acquired the encryption keys by intercepting communications between Gemalto and its clients as the "Ki" codes were being sent out.
These revelations if confirmed by Gemalto are sure to have long reaching ramifications. Only last November the Netherlands amended its constitution to include explicit protection for the privacy of digital communications. Under this law the Dutch interior minister would have had to give permission for such an operation by foreign intelligence agencies.