Follow Us

Snowden Report: U.S., U.K. Agencies Breach SIM Card Security

The NSA and Britain's GCHQ reportedly obtained keys to the SIM cards that encrypt wireless traffic between handsets and carriers.

Snowden Report: U.S., U.K. Agencies Breach SIM Card Security

Posted: 10:55 a.m. EST Feb 20, 2015

A new report in The Intercept says as far back as 2010, a joint U.S. and U.K. intelligence task force stole encryption keys for SIM cards used by a wide range of today's wireless carriers.

The NSA and Britain's Government Communications Headquarters, or GCHQ, specifically targeted Dutch SIM manufacturer Gemalto. It's one of the largest card makers and cranks out 2 billion cards a year for use all over the world.

All the big stateside carriers — AT&T, Verizon, T-Mobile and Sprint — use Gemalto's cards, for example.

The little cards can store data, like messages or apps. They're used for mobile payments in some areas and, critically, each one carries an encryption key known as a "Ki," which is physically burned into the structure of the chip and used for communicating with telecom networks.

According to documents leaked by Edward Snowden and obtained by The Intercept, intelligence agents secured millions of these "Kis" and have used them to monitor wireless communications — voice, text and data — without alerting carriers or end users to their activity.

As The Intercept suggests, there's no need for a warrant if telecom companies are oblivious to monitoring activity in the first place.

And getting the Kis might have been easier than it sounds, according to the report. Ars Technica explains SIM makers simply sent emails or files to wireless carriers with lists of these encryption codes for each new delivery of cards.

"By doing basic cyberstalking of Gemalto employees, the NSA and GCHQ were able to pilfer 'millions' of SIM Kis."

As Mark Rumold, staff attorney at the Electronic Frontier Foundation, explained it to The Guardian: "They have the functional equivalent of our house keys. That has serious implications for privacy not just here in the US but internationally."

In a news release on Friday, Gemalto said it is investigating. "We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation."

Security experts told The Guardian intelligence agencies could still be monitoring mobile communications. Remember, it's not easy for wireless providers or end users to spot the tracking.

The EFF offers one alternative: more heavily encrypted voice and text-messaging systems. The foundation does not yet have reason to believe the NSA — or anyone else — has cracked them yet.

This video includes images from Getty Images.

Top Stories

People walk outside the Westfield shopping mall at Bondi Junction in Sydney

Staff and shoppers return to Sydney mall 6 days after mass stabbings

There was a large police and security presence, with guards wearing black stab-proof vests posted on each level of the mall.

The Spotify app is displayed on an iPad.

Streaming music getting more expensive: How to keep costs down

Most streaming services charge about $10 or $11 per month for their music bundles, but there might be ways to cut the cost down.

An Iron Dome defense battery in Israel.

Israel launches retaliatory strike against Iran, US officials say

Israel had promised to retaliate for Iran's Saturday attack, in which Iran launched hundreds of drones and missiles.