Snowden documents reveal NSA, GCHQ have keys to everyone’s SIM cards
A new trove of documents released by whistle blower Edward Snowden reveals details of an operation by American and British spy agencies that gave them the encryption keys to effortlessly snoop into anyone’s communications done over a cellphone without leaving any tell-tale trace. The joint operation done by America’s National Security Agency (NSA) and Britain’s Government Communications Headquarter (GCHQ) managed to hack into the networks of the world’s largest SIM card manufacturer among others to “harvest” encryption keys burnt on SIM cards that are used to authenticate them on cellular networks.
The encryption keys would enable the spy agencies to gather surveillance data from cellular networks and decrypt any conversation – both voice and data – at their leisure. The agency targeted employees of Gemalto, which provides SIM cards to over 450 cellular carriers around the world, to remotely hack into the company’s network, and get the encryption keys.
Every SIM card has an encryption key burned into it that gets identified by the network’s base station, which lets the phone latch on to its network. SIM card manufacturers like Gemalto not only burn the encryption key, known as Ki, on the SIM card but also provide the list to carriers so they can be mapped on their network for authentication. The spy agencies intercepted the encryption keys during their transfer from Gemalto to its carrier clients.
The details published by The Intercept also reveal how the agencies gained access inside carrier networks that gave them ability to alter billing services and also decrypt voice, text and data communications of its target individuals. With the encryption keys in its hands, the agencies could not only listen into communications as they happened but also decrypt logs from data they have gathered in the past, considering the Ki is burnt into the SIM and doesn’t change till the time the SIM is in use. If the agencies have the Ki, they can decrypt communications from the past as well.
In its key harvesting “trial” operations in the first quarter of 2010, GCHQ successfully intercepted keys used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan, the publication reports. With the keys in their hands, the agency does not have to deal with international or domestic laws and processes to make requests to snoop into its targets’ communications. They can do it effortlessly till the time they are able to intercept encrypted data.
The revelation will have major impact in global telecom and security industries and will also spook many nations, considering the technique employed neither leaves any trace nor requires any physical implant in the target’s phone.
The project exploited a fundamental vulnerability in the technology on which all telecom carriers work globally. Unlike modern Internet services, cellular networks don’t employ Perfect Forward Security that provides a new encryption key for every communication and discards them later. Instead, they rely on the same encryption key that is used for years. Instead of figuring out a reliable way to decrypt encrypted communication, the agencies decided to get the keys itself.
The revelation also raises questions that if the American and British agencies were able to get hold of the SIM card encryption keys, what about other countries? Also, the solution now would be an overhaul of global cellular networks, which would not only take billions of dollars of investments but will also leave them vulnerable for years till they don’t change the technology.