That's according to the latest revelations from NSA whistle-blower Edward Snowden, which were published in a 10-page report on The Intercept late yesterday.
Citing one secret GCHQ document from 2010, the newswire details how a joint unit of NSA and GCHQ operatives, going by the name of the Mobile Handset Exploitation Team (MHET), was specifically tasked with exploiting vulnerabilities in mobile phones, with Gemalto a primary target for accessing voice and data details.
The Netherlands-based Gemalto is the world's biggest SIM manufacturer, producing some two billion cards annually, and has clients including AT&T, T-Mobile, Verizon and Sprint as well as 450 wireless network providers around the globe. The firm's motto, ironically, is ‘Security to be free”.
Although the official point of entry for the hackers has not been disclosed, it appears that social engineering was involved, in addition to unidentified malware. The Intercept reveals that agency staff compromised Gemalto engineers (they had access to their email and Facebook accounts) and eventually launched malware to compromise internal systems – and the SIM card database, which meant it had access to the private encryption keys. One GCHQ document saw the author boast: “We believe we have their entire network.”
GGHQ programme DAPINO GAMMA was apparently used to target Gemalto employees, while HIGHLAND FLING was said to have been used to mine email accounts of Gemalto staff in France and Germany.
Having gathered these encryption keys, the surveillance agencies would be able to monitor mobile communications (voice and data), without needing the approval of the carriers or foreign governments. In addition, they would also be able to intercept this mobile data without the usual process of requiring a court-order warrant or wiretap.
GCHQ was also said to be preparing encryption key theft operations against Germany-based Giesecke and Devrient although no further details were published on this.
Bruce Schneier said on his blog: “People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards.”
Gemalto, which saw shares slide 10 percent down on Friday, responded to the news by issuing a statement in which it said that it was investigating. It couldn't verify the findings at the time of writing, and the company has not yet responded to our request for comment.
“We cannot at this stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” he said.
“Gemalto, the world leader in digital security, is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present, we cannot prove a link between those past attempts and what was reported yesterday.”
“We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.”
Christian Toon, senior cyber-security expert at PwC UK, said in an email to SCMagazineUK.com that government spying has almost become the norm, even if the battle between security and privacy is an “on-going debate”. “I guess we're more of an open society than we were 20 years ago.”
But he questioned the sophistication. “The question is if this happened in 2010, it that sophisticated by today's standards or back then?”
Toon added that foreign-state involvement has become standard practice and also questioned, if they were hacking SIM cards and mobiles five years ago, what now? “The Internet of Things only broadens the target market [for attackers].”
“It highlights the weakest point in the chain and that businesses should also assume a state of compromise. They need to have that understanding that if a threat actor wants a break in it's not a case of if but when.” He added that businesses have focused too much on perimeter and less on monitoring, where he also adds there is a ‘losing battle'; some have too much information and can't process it fast enough while others simply don't have the access to the appropriate information.
“One of the biggest things I see is the response element, how they respond, and we've seen some examples where the poor response almost outweighs the breach itself,” he said citing last year's data breach, which resulted in the loss of 100,000 credentials.
He added the need for sharing intelligence; “The biggest challenge in this industry is the need to be better at sharing at what's going on, and until you get everybody on-board I think that's hard. Nobody likes to air their dirty laundry in public,” he said citing liability issues in particular.
Alan Calder, CEO of consultancy IT Governance, added: “While this is obviously bad news for the SIM company, and is equally obviously a major crime apparently carried out by the intelligence agencies of two leading western governments, it does point at the basic issue: no companies or organisations are immune from attack – and the fact that you don't know you've been hacked is not evidence that you haven't been – it's just evidence that you haven't found out yet.”
Eric King, deputy director of Privacy International, was more forthright, adding in an email to SC: "GCHQ has lost its way. In stealing the SIM card encryption keys of millions of mobile phone users they have shown there are few lines they aren't willing to cross. Trust in the security of our communications systems are essential for our society and for businesses to operate with confidence, and the impact of these latest revelations will have ripples all over the world.
“Hacking into law-abiding companies, spying on their employees and stealing their data should never be considered 'fair game.' In blindly striving trying to achieve their mission, they have lost sight of what the rule of law means and how to weigh what is necessary and proportionate. Their actions have undermined the security of us all.”