Gemalto SIM Cards Hacked by American, British Spies—Report

Gemalto, one of the world’s largest providers of SIM cards for mobile phones and the maker of a secure SIM technology, is probing an alleged hack by American and British spies.

The Dutch company supplies 2 billion SIM cards per year to a range of Tier 1 carriers, including Verizon Communications, Vodafone Group and China Mobile. The Intercept, a news site known for publishing leaks from National Security Agency contractor Edward Snowden, said that fresh Snowden documents show that Western governments have been circumventing legal procedures and privacy safeguards in order to gain access to the personal communications data of subscribers.

Supposedly, the “great SIM heist” was carried out by operatives from the NSA and its British counterpart, Government Communications Headquarters (GCHQ). Mining the private communications of Gemalto engineers and employees in multiple countries, the UK took the lead in stealing encryption keys, with NSA providing an assist, according to a secret 2010 GCHQ document.

“Intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,” the report explained. “Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted.”

TK Keanini, CTO of Lancope, said via email that the news, if true, is not actually all that shocking.

“This type of spy activity predates the internet and will continue to happen no matter what the technology of the current day,” he said. “All of this telephony capture is standard when it comes to spy agencies—the only thing that changes over the years are the techniques used.”

And while this is clearly a violation of European privacy rules and American legal frameworks, it’s concerning that Gemalto could have been this vulnerable, according to Secure Channels CEO Richard Blech.

“Now that this has been exposed, we will have to ensure that new technology and solutions are created to encrypt SIM cards, and that encryption keys are not only located in a completely separate location, but that the keys themselves are protected with deep encryption,” he said. “Most common reactions are that this sort of [spying] affects someone else, and until you feel the violation personally, we just tend to move on. Again, technology companies should create solutions that are easily adaptable for users that allow their privacy to be protected.”

What’s Hot on Infosecurity Magazine?