Secret NSA/GCHQ unit 'hacked Gemalto, stole SIM encryption keys'

A secret division of NSA and GCHQ hackers reportedly hacked into Gemalto's networks, breached the firm's SIM card database and stole private encryption keys from 2010 to 2011, enabling the agencies to monitor a "large portion of the world's cellular communications."

Secret NSA/GCHQ unit 'hacked Gemalto, stole SIM encryption keys'
Secret NSA/GCHQ unit 'hacked Gemalto, stole SIM encryption keys'

That's according to the latest revelations from NSA whistle-blower Edward Snowden, which were published in a 10-page report on The Intercept late yesterday.

Citing one secret GCHQ document from 2010, the newswire details how a joint unit of NSA and GCHQ operatives, going by the name of the Mobile Handset Exploitation Team (MHET), was specifically tasked with exploiting vulnerabilities in mobile phones, with Gemalto a primary target for accessing voice and data details.

The Netherlands-based Gemalto is the world's biggest SIM manufacturer, producing some two billion cards annually, and has clients including AT&T, T-Mobile, Verizon and Sprint as well as 450 wireless network providers around the globe. The firm's motto, ironically, is ‘Security to be free”.

Although the official point of entry for the hackers has not been disclosed, it appears that social engineering was involved, in addition to unidentified malware. The Intercept reveals that agency staff compromised Gemalto engineers (they had access to their email and Facebook accounts) and eventually launched malware to compromise internal systems – and the SIM card database, which meant it had access to the private encryption keys. One GCHQ document saw the author boast: “We believe we have their entire network.”

GGHQ programme DAPINO GAMMA was apparently used to target Gemalto employees, while HIGHLAND FLING was said to have been used to mine email accounts of Gemalto staff in France and Germany.

Having gathered these encryption keys, the surveillance agencies would be able to monitor mobile communications (voice and data), without needing the approval of the carriers or foreign governments. In addition, they would also be able to intercept this mobile data without the usual process of requiring a court-order warrant or wiretap.

GCHQ was also said to be preparing encryption key theft operations against Germany-based Giesecke and Devrient although no further details were published on this.

Bruce Schneier said on his blog: “People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards.”

Gemalto, which saw shares slide 10 percent down on Friday, responded to the news by issuing a statement in which it said that it was investigating. It couldn't verify the findings at the time of writing, and the company has not yet responded to our request for comment.

“We cannot at this stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” he said.

“Gemalto, the world leader in digital security, is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present, we cannot prove a link between those past attempts and what was reported yesterday.”

“We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.”

Christian Toon, senior cyber-security expert at PwC UK, said in an email to SCMagazineUK.com that government spying has almost become the norm, even if the battle between security and privacy is an “on-going debate”. “I guess we're more of an open society than we were 20 years ago.”

But he questioned the sophistication. “The question is if this happened in 2010, it that sophisticated by today's standards or back then?”

Page 1 of 2