They're Listening! U.S., U.K. Intelligence Agencies Hack SIM Card Manufacturer

Updated | The National Security Agency and its British counterpart, the Government Communications Headquarters (GCHQ), jointly hacked the internal networks of a major SIM card manufacturer, stealing encryption keys used to protect the privacy of communications, The Intercept reported on Thursday, referring to documents provided by NSA whistleblower Edward Snowden.

The SIM card manufacturer, Gemalto, is a multinational firm incorporated in the Netherlands. It serves about 450 wireless service providers, including Verizon, AT&T, Sprint and T-Mobile, in 85 countries. The company had no idea its systems had been compromised, according to The Intercept.

"The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again," Paul Beverly, a Gemalto executive vice president, told The Intercept.

At the time, Beverly said he was unsure whether the telecom companies had also been compromised as a result of the hack, or the extent to which customers' privacy would be affected. The company immediately launched an internal investigation.

When the breach was originally reported by The Intercept, the publication explained that the security breach could allow intelligence agencies to spy on mobile communications, both domestic and foreign, without using traditional means of snooping, such as wiretapping or seeking approval from the telecommunications companies or the courts.

Almost a week later, Gemalto's internal investigation findings downplayed the impact. The report claimed the intrusion "probably happened," but it "could not have resulted in a massive theft of SIM encryption keys" because "[b]y 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions...could have led to theft."

The NSA and GCHQ penetrated Gemalto's networks by first cyberstalking the company's employees, as well as people who worked for major telecommunications companies. By getting into these employees' email and Facebook accounts, the agencies were able to determine who would have access to the core systems that stored the secret keys the NSA and GCHQ wanted. Many of the encryption keys were lifted from private communications between these Gemalto employees and their telecom business partners.

Once the employees were identified, the intelligence agencies looked for information that would lead them into Gemalto's systems.

"Key theft enables the bulk, low-risk surveillance of encrypted communications," Christopher Soghoian, the American Civil Liberties Union's principal technologist, told The Intercept. "Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It's like a time machine, enabling the surveillance of communications that occurred before someone was even a target."

He added: "We need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages."

In a statement to USA Today, GCHQ said, "all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee."

The NSA declined to comment to The Intercept or USA Today.