In the latest installment of the Snowden files, it has emerged that the UK’s Government Communication Headquarters cyber spy agency and its stateside counterpart, the National Security Agency have managed to steal encryption keys used in SIM cards from Gemalto used by billions of mobile phone users.
The Netherlands-registered company makes up to two billion SIM cards a year and claims over 450 telcos as its clients.
According to an article by Jeremy Scahill and Josh Begley in the Intercept entitled the Great SIM Heist, GCHQ hacked Gemalto employees’ email accounts and in many cases found that encryption keys were emailed to telcos with simple to break encryption or even with no encryption at all.
A SIM card encryption key would allow spy agencies to listen in on conversations or data streams without the need for a court order and without leaving any trace of the interception in the network logs.
Most telcos have outsourced this tedious task of personalising SIM cards to companies such as Gemalto, which then gives the telcos the SIM cards and the corresponding keys to enter into their network.
The leaked GCHQ slide from 2010 showed that the UK spy agency had implanted software on several machines in Gemalto’s network and that they had access to their entire network.
GCHQ also had control over several telcos’ core network and billing systems, the latter being used to suppress activities that may have shown up during operations.