Claims have emerged that a joint operation between US and UK intelligence agencies breached the internet network of the world's largest SIM card manufacturer, Gemalto, to steal encryption keys for millions of subscribers.
The Subscriber Identity Module (SIM) was once the only non-volatile storage enjoyed by mobile phones, but even in these days of handsets with multi-gigabyte flash modules the SIM serves an important purpose. Each card is encoded with two unique codes, the Integrated Circuit Card Identifier (ICCID) and International Mobile Subscriber Identity (IMSI). Together, these codes uniquely identify a mobile account and SIM, while each SIM also holds a unique 128-bit authentication key, supposedly protected from extraction by SIM card readers for security, which is used to authenticate with the network and perform encryption.
While documents released by whistleblower Edward Snowden over the last year have shown that US and UK intelligence agencies work hand-in-hand with telecommunications providers to monitor traffic, Snowden's latest leak suggests that they take a more active role as well. According to documents supplied by Snowden to The Intercept
, agencies from the US and UK formed a joint Mobile Handset Exploitation Team (MHET) which in 2010 and 2011 broke into the network of Gemalto, the world's biggest manufacturer of SIM cards, in order to steal the authentication keys. With those keys, the services can eavesdrop on ongoing conversations, capture data traffic, and decrypt already-captured traffic, all without having to apply for a court order or even give the mobile network warning of what is happening.
Gemalto, for its part, has indicated that it is investigating the matter. 'A publication reported yesterday that in 2010 and 2011 a joint unit composed of operatives from the British GCHQ and the American NSA hacked SIM card encryption keys engraved in Gemalto and possibly other SIM vendors' cards,
' the company's statement to press, issued this morning, reads. 'The publication indicates the target was not Gemalto per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation.
'Gemalto, the world leader in digital security, is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday,
' the company's statement continues. 'We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.
Neither the GCHQ nor the NSA have commented on the publication's claims.