The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle

https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

Posted from WordPress for Android

13 Comments

  1. Tomi Engdahl says:

    SIM card security scare: Gemalto is investigating UK and US hack allegations
    http://www.theinquirer.net/inquirer/news/2396223/sim-card-security-scare-gemalto-is-investigatiing-uk-and-us-hack-allegations

    SIM CARD COMPANY Gemalto has reacted to reports that US and UK spy agencies have hacked their way into its heart, pinched its security crown jewels, and hopped right into global communications.

    US news website The Intercept, a frequent host of Snowden revelations, claims to have evidence that GCHQ and the US National Security Agency (NSA) worked together to hack Gemalto and steal its encryption keys. This potentially gave the agencies an easy way to eavesdrop on global mobile communications.

    “The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including voice and data,” said The Intercept.

    The Great SIM Heist
    How Spies Stole the Keys to the Encryption Castle
    https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

    AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

    The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ.

    The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world.

    In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

    With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

    Reply
  2. Tomi Engdahl says:

    Information regarding a report mentioning a hacking of SIM card encryption keys
    http://www.gemalto.com/press/Pages/Information-regarding-a-report-mentioning-a-hacking-of-SIM-card-encryption-keys.aspx

    Amsterdam, February 20, 2015 – A publication reported yesterday that in 2010 and 2011, a joint unit composed of operatives from the British GCHQ (Government Communications Headquarters) and the American NSA (National Security Agency) hacked SIM card encryption keys engraved in Gemalto (Euronext NL0000400653 – GTO) and possibly other SIM vendors’ cards. The publication indicates the target was not Gemalto per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation.

    Gemalto, the world leader in digital security, is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday.

    Reply
  3. Tomi Engdahl says:

    Gemalto World leader in Digital Security:
    Despite NSA hacking claims, Gemalto says initial conclusions indicate SIM products are secure
    http://www.gemalto.com/press/Pages/Update-on-the-SIM-card-encryption-keys-matter.aspx

    Reply
  4. Tomi Engdahl says:

    Gemalto: Spooks popped our LANs, not SIM keys
    ‘Investigation’ admits to attacks, but says SIM secrets stayed secure
    http://www.theregister.co.uk/2015/02/25/gemalto_spooks_popped_our_lans_not_sim_keys/

    SIM secrets supremos Gemalto has conducted an investigation into the NSA’s and GCHQ’s infiltration of its offices and says while the agencies did get in, they didn’t get in far enough to siphon out SIM encryption keys.

    In a statement sent to El Reg, the company’s “… investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened”.

    The company’s reached that conclusion after revisiting some attacks it recorded in those years, which it says were repelled without identifying the perps.

    “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

    The attacks therefore “could not have resulted in a massive theft of SIM encryption keys.”

    Even if spooks had been able to get deeper into its networks and finger some keys, Gemalto reckons any attack would have been possible on 2G networks. With much of the world having moved to 3G or 4G at the time of the attacks, that means any snooping would have had limited impact.

    Reply
  5. Tomi Engdahl says:

    Gemalto:
    Gemalto confirms hack by NSA and GCHQ, but says no massive theft of SIM encryption keys, only a breach of its office network

    Gemalto presents the findings of its investigations into the alleged hacking of SIM card encryption keys by Britain’s Government Communications Headquarters (GCHQ) and the U.S. National Security Agency (NSA)
    http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx

    “The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft”

    “In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack”

    “None of our other products were impacted by this attack”

    Reply
  6. Tomi Engdahl says:

    NSA, GCHQ Theft of SIM Crypto Keys Raises Fresh Security Concerns
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1325798&

    Pilfered SIM card encryption keys also could allow the spy agencies to deploy malicious Java applets or to send rogue SMS messages from fake cell towers, experts say.

    News that the U.S. National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) reportedly stole encryption keys used in SIM cards manufactured by Gemalto is sure to reignite major concerns over the surveillance tactics employed by two of the world’s largest spy agencies.

    The $2.7 billion Netherlands-based Gemalto supplies SIM chips used widely in mobile products from AT&T, Verizon, T-Mobile, Sprint and more than 400 wireless service providers around the world. Its chips are also used in bankcards, access cards, passports and identity cards around the world.

    The stolen keys give the two agencies a way to intercept and monitor cellphones without the need for a warrant or a wiretap, and without leaving any trace on the wireless service provider’s network, the Intercept report said.

    Reply
  7. Tomi Engdahl says:

    Not even GCHQ and NSA can crack our SIM key database, claims Gemalto
    If snooping was done, it was done via comms intercept
    http://www.theregister.co.uk/2015/02/25/gemalto_gchq_and_nsa_didnt_hack_our_sim_database/

    SIM card manufacturer Gemalto has given more details of what it understands is behind the reports that GCHQ and the NSA got their mitts on the encryption keys for its SIM cards.

    As we reported earlier, the company says it detected intrusions and prevented them, and that at no time were the systems which held information on the keys penetrated. If an intercept took place, it would have been when an actor listened into Gemalto’s comms, the firm claims.

    “It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks, explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators,” says the statement, while at the same time refusing to confirm or deny that the attacks actually took place.

    Gemalto now wants to draw a line under the hacking issue. “Gemalto will continue to monitor its networks and improve its processes. We do not plan to communicate further on this matter unless a significant development occurs,”

    Reply
  8. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    As Gemalto downplays breach by NSA and GCHQ, experts say six day investigation was likely insufficient

    World’s Largest SIM Card Maker Has No Clue Whether It Was Hacked by the NSA
    http://motherboard.vice.com/read/worlds-largest-sim-card-maker-has-no-clue-whether-it-was-hacked-by-the-nsa

    Last week, new documents leaked by Edward Snowden revealed one of the NSA and GCHQ’s most daring operations: the heist of thousands of encryption keys from cellphone SIM card maker Gemalto, which potentially gave the spy agencies the ability to eavesdrop on the phone calls of millions of people all over the world.

    Now, Gemalto says it’s done a “thorough” investigation and has “reasonable grounds” to believe it was, indeed, hacked by the American and British spies—but the company goes out of the way to downplay the breach.

    But cybersecurity experts are very skeptical of Gemalto’s conclusions.

    In the press release, Gemalto refers to two “sophisticated” hacking attempts it detected in 2010 and 2011, which at the time it didn’t think were coming from NSA or GHCQ. But now, given the Snowden documents, the company believes those attacks actually came from the spy agencies.

    The two “sophisticated” attacks are described pretty vaguely.

    But for Ronald Prins, the founder of Dutch security firm Fox-IT, Gemalto has “no clue if the traces they’ve seen were from the NSA,” since the spy agency is “very good” at removing evidence of its attacks, and using phishing emails with malware is not the way the NSA hacks its targets.

    Prins would know, since he was part of the investigation into the GCHQ hack on the Belgian telecom provider Belgacom.

    “That’s not the way we’ve seen the NSA work, which is very much more sophisticated,” Prins told Motherboard.

    “It’s possible that they only breached office network,” Matthew Green, a cryptography professor at a Johns Hopkins University, told Motherboard. “But what we know is that these organizations are pretty good at quietly hacking things.”

    In other words, Gemalto might never really find out how badly it got hacked.

    Moreover, some are surprised at the quickness of Gemalto’s investigation, given that these type of probes usually take weeks or months. The investigation on the Belgacom attack, for example, took months, and its results aren’t even out yet. Same with the Sony hack

    “I cannot imagine that they’ve actually done a thorough forensic [investigation] into their current network,” Prins said, adding that it seems the company just analyzed the results of previous investigations.

    Green, the cryptographer, also said he was “very dubious” of Gemalto’s claim that even in the case of an “eventual key theft” only old-generation 2G networks would be vulnerable, and not more recent 3G or 4G networks—which would mean only a small fraction of users were affected.

    “Technically I have no idea what they’re talking about,” he said, adding that the whole point of the SIM heist was to get access to the keys that would allow NSA and GCHQ to bypass the encryption on 3G and 4G phone calls, allowing the agencies to spy on phone calls that were supposed to be secure. “If they’re confident that those keys could not have been stolen, then they should explain why,” Green added. “Probably this is just ‘we don’t have any evidence that those keys were stolen.’”

    Reply
  9. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Gemalto hack may have given NSA and GCHQ power to remotely install spyware on any phone
    http://www.theverge.com/2015/2/24/8101585/the-nsas-sim-heist-could-have-given-it-the-power-to-plant-spyware-on

    Last week, The Intercept published shocking new documents detailing a campaign by US and UK spies to hack into the SIM manufacturer Gemalto, stealing crucial encryption keys that protect and authenticate cellphone signals. But while it was clearly a major attack, I had a hard time seeing the operational benefits for the world’s spy agencies. SIM encryption only protects calls between your phone and the cell tower

    But in the days since the report published, there’s been concern over an even more frightening line of attack. The stolen SIM keys don’t just give the NSA the power to listen in on calls, but potentially to plant spyware on any phone at any time. Once the stolen keys have bypassed the usual protections, the spyware would live on the SIM card itself, undetectable through conventional tools, able to pull data and install malicious software. If the NSA and GCHQ are pursuing that capability, it could be one of the biggest threats unearthed by Snowden so far.

    Our earlier report focused on the Ki keys, used to encrypt traffic between the phone and the tower — but this new attack uses a different set of keys known as OTA keys, short for “over-the-air.” Each SIM card gets its own OTA key, typically used to remotely install updates. Manufacturers can send a binary text message directly to the SIM card, and as long as it’s signed with the proper OTA key, the card will install the attached software without question. If those keys were compromised, it would give an attacker carte blanche to install all manner of spyware.

    “It’s scary,” Guarnieri says. “If the NSA and GCHQ have obtained a large quantity of OTA keys, we’re facing the biggest threat to mobile security ever.”

    The OTA key works as a kind of golden key to the SIM card, allowing almost total access to anyone who has it. Karsten Nohl, a researcher best known for his work on BadUSB, explored SIM hacks as part of a Black Hat presentation in 2013, and says the OTA keys would be a very likely target for an intelligence agency. The Intercept’s documents also mention compromising Gemalto’s ability to alter SMS records, which could be used to erase any suspicious OTA updates. The result would be a completely invisible program, running in an inaccessible portion of the phone. “It would be completely hidden from the user,” says Nohl.

    Earlier leaks show that the NSA has already developed malware that would work in just this way. The NSA’s exploit catalog (first published by Der Spiegel) lists two different SIM-based malware apps: MONKEYCALENDAR sends back location data through hidden SMS messages, while GOPHERSET pulls a user’s phone book, text and call logs. In both cases, the malware lives entirely on the SIM card, leaving no trace on the internal storage of the device. Neither slide says how the malware would be implanted, but once the OTA keys have been stolen, it would be as simple as sending a text.

    Reply
  10. Tomi Engdahl says:

    SIM Card Maker Gemalto Is Morally Obligated to Sue the NSA for Hacking
    http://motherboard.vice.com/read/sim-card-maker-gemalto-is-morally-obligated-to-sue-the-nsa-for-hacking?trk_source=recommended

    Gemalto, the SIM card manufacturer and allegedly the target of one of the largest NSA hacks of all time, has announced that it’s not going to sue the intelligence agency. But it should.

    “It’s difficult to prove our conclusions legally, so we’re not going to take legal action,” Olivier Piou, Gemalto’s CEO, said at a pr​ess conference this morning in Paris. “The history of going after a state shows it is costly, lengthy and rather arbitrary.”

    On that, he’s wrong, experts say. The specificity of the documents, and the results of a hasty internal investigation by Gemalto provide actionable intelligence (that’s a term the NSA likes, right?) that gives the company an unprecedented opportunity to take the NSA to court. And it may have a moral obligation to do so.

    “We encourage Gemalto to take legal action wherever possible—whether in US courts or in Europe—against the NSA and GCHQ for attacking the company and the security of its users,” Peter Micek, an attorney at digital rights nonprofit Access, told me.

    “It’s rare that companies have such clear evidence to present in court,” Micek said. “For example, despite revelation after revelation, remedy has been nearly impossible to reach for victims of NSA surveillance due to standing issues and national security claims… to rebuild trust, companies need to use every possible opportunity to haul the NSA into court—even just to get some discovery or clarify legal arguments.”

    He’s right. The initial documents leaked by Snowden was evidence that the NSA was scraping call information from Verizon, and a followup revealed PRISM, in which the NSA had direct access to the servers of Google, Apple, Microsoft, Yahoo, and other major tech companies. The idea that any American-made tech could be subject to surveillance has scared off investors. In fact, the Chinese government just announced it would no longer do business with many American tech companies. While companies have condemned the NSA, few have actually taken the agency to court.

    Reply
  11. Tomi Engdahl says:

    SIM hack scandal biz Gemalto: Everything’s fine … Security industry: No, it’s really not
    Why so confident, infosec bods wonder
    http://www.theregister.co.uk/2015/02/25/gemalto_everythings_fine_security_industry_hang_on_a_minute/

    Six days ago Gemalto, the world’s largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims.

    Yet the IT security industry is not so sure.

    At a press conference in Paris on Wednesday the Dutch firm’s CEO, Olivier Piou, said that while its office networks were compromised, the servers holding the SIM card encryption keys weren’t.

    That data was and remains secure, Piou said. The keys are sent out to cell network owners using a “secure transfer system,” which should keep the information out of the hands of the spooks.

    “Gemalto is surprisingly confident that it now knows exactly the scope of the GCHQ/NSA penetration that it didn’t detect in the first place,” said Matt Blaze, associate professor of computer and information science at the University of Pennsylvania. “Getting compromised by a targeted GCHQ/NSA operation isn’t negligent, but underestimating the implications of it is.”

    The firm’s CEO said at his press conference that the intelligence agencies were probably behind various security breaches detected within his company in 2010 and 2011, but he won’t be taking legal action since this is often ineffective.

    Reply
  12. Tomi Engdahl says:

    This should learn Gemalto data breach

    Sim card manufacturer data breach can be seen that the individual, unsuspecting workers are still often attacks the focal point, to point out the security company Check Point.

    Checkpoint has studied Gemalto information burglary backgrounds. One of the leaks of information started with the traditional phishing. Gemalto employee received fake emails with the Annex to the malware got to recharge his computer and through the corporate network.

    In the second case kyberkonna followed by message traffic, which is the individual worker went to the corporate network with an external party.

    Checkpoint points out that people like us work a wide range of bodies, will receive a lot of messages and exchange large amounts of information every day. This provides opportunities for criminals.

    “My staff is the company’s most important asset in terms of security, so the training to detect suspicious approaches is of paramount importance,”

    This according to him, still not enough, because to err is human: “Security should think holistically, and training required in addition to the modern technical solutions. For example, the suspicious e-mail attachments will be opened in a controlled environment, the sandbox where they can not get ahead before the amendment.”

    Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-03/T%C3%A4m%C3%A4-pit%C3%A4isi-oppia-Gemalton-tietomurrosta-3216639.html

    Reply
  13. Tomi Engdahl says:

    Sales up at NSA SIM hack scandal biz Gemalto
    Dutch biz points to ‘challenges’ experienced last year
    http://www.theregister.co.uk/2015/03/05/gemalto_posts_results/

    Sales at the world’s biggest SIM card maker, Gemalto, which was last month revealed to have been hacked by the NSA and GCHQ, rose by five per cent to €2.5bn (£1.8bn) in 2014.

    Following the hack, the company’s share price fell by $470m last month. However, the latest results do not appear to have appeased investors, with shares falling 3.2 points due to what was has been deemed a disappointing performance.

    Gross profit was up by two per cent to €952m (£690m). Revenue in the US rose 32 per cent, it said.

    “As always, our success is built on trust. Our customers trust us to facilitate their relationships with end-users, and to safeguard their reputations and their data,”

    In February, it was revealed that the NSA and Britain’s GCHQ had hacked the company to harvest the encryption keys, according to documents leaked by former NSA sysadmin, whistleblower Edward Snowden.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*