You are here

The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle

1 post / 0 new
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle


The Great SIM Heist
How Spies Stole the Keys to the Encryption Castle

By Jeremy Scahill and Josh Begley
@jeremyscahill @joshbegley
Yesterday at 11:25 AM

AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 [url= document[/url], gave the surveillance agencies the potential to secretly monitor a large portion of the worlds cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is Security to be Free.

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless providers network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

As part of the covert operations against Gemalto, spies from GCHQ with support from the NSA mined the private communications of unwitting engineers and other company employees in multiple countries.

Gemalto was totally oblivious to the penetration of its systems and the spying on its employees. Im disturbed, quite concerned that this has happened, Paul Beverly, a Gemalto executive vice president, told The Intercept. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesnt happen again, and also to make sure that theres no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers. He added that the most important thing for us now is to understand the degree of the breach.

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. Once you have the keys, decrypting traffic is trivial, says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. The news of this key theft will send a shock wave through the security community.

Beverly said that after being contacted by The Intercept, Gemaltos internal security team began on Wednesday to investigate how their system was penetrated and could find no trace of the hacks. When asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Beverly said, I am totally unaware. To the best of my knowledge, no.

According to one [url= GCHQ slide[/url], the British intelligence agency penetrated Gemaltos internal networks, planting malware on several computers, giving GCHQ secret access. We believe we have their entire network, the slides author boasted about the operation against Gemalto.

Additionally, the spy agency targeted unnamed cellular companies core networks, giving it access to sales staff machines for customer information and network engineers machines for network maps. GCHQ also claimed the ability to manipulate the billing servers of cell companies to suppress charges in an effort to conceal the spy agencys secret actions against an individuals phone. Most significantly, GCHQ also penetrated authentication servers, allowing it to decrypt data and voice communications between a targeted individuals phone and his or her telecom providers network. A note accompanying the slide asserted that the spy agency was very happy with the data so far and [was] working through the vast quantity of product.

The Mobile Handset Exploitation Team (MHET), whose existence has never before been disclosed, was formed in April 2010 to target vulnerabilities in cellphones. One of its main missions was to covertly penetrate computer networks of corporations that manufacture SIM cards, as well as those of wireless network providers. The team included operatives from both GCHQ and the NSA.

While the FBI and other U.S. agencies can obtain court orders compelling U.S.-based telecom companies to allow them to wiretap or intercept the communications of their customers, on the international front this type of data collection is much more challenging. Unless a foreign telecom or foreign government grants access to their citizens data to a U.S. intelligence agency, the NSA or CIA would have to hack into the network or specifically target the users device for a more risky active form of surveillance that could be detected by sophisticated targets. Moreover, foreign intelligence agencies would not allow U.S. or U.K. spy agencies access to the mobile communications of their heads of state or other government officials.

Its unbelievable. Unbelievable, said Gerard Schouw, a member of the Dutch Parliament, when told of the spy agencies actions. Schouw, the intelligence spokesperson for D66, the largest opposition party in the Netherlands, told The Intercept, We dont want to have the secret services from other countries doing things like this. Schouw added that he and other lawmakers will ask the Dutch government to provide an official explanation and to clarify whether the countrys intelligence services were aware of the targeting of Gemalto, whose official headquarters is in Amsterdam.

Last November, the Dutch government proposed an amendment to its constitution to include explicit protection for the privacy of digital communications, including those made on mobile devices. We have, in the Netherlands, a law on the [activities] of secret services. And hacking is not allowed, Schouw said. Under Dutch law, the interior minister would have to sign off on such operations by foreign governments intelligence agencies. I dont believe that he has given his permission for these kind of actions.

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. Gaining access to a database of keys is pretty much game over for cellular encryption, says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is bad news for phone security. Really bad news.

AS CONSUMERS BEGAN to adopt cellular phones en masse in the mid-1990s, there were no effective privacy protections in place. Anyone could buy a cheap device from RadioShack capable of intercepting calls placed on mobile phones. The shift from analog to digital networks introduced basic encryption technology, though it was still crackable by tech savvy computer science graduate students, as well as the FBI and other law enforcement agencies, using readily available equipment.

Today, second-generation (2G) phone technology, which relies on a deeply flawed encryption system, remains the dominant platform globally, though U.S. and European cellphone companies now use 3G, 4G and LTE technology in urban areas. These include more secure, though not invincible, methods of encryption, and wireless carriers throughout the world are upgrading their networks to use these newer technologies.

It is in the context of such growing technical challenges to data collection that intelligence agencies, such as the NSA, have become interested in acquiring cellular encryption keys. With old-fashioned [2G], there are other ways to work around cellphone security without those keys, says Green, the Johns Hopkins cryptographer. With newer 3G, 4G and LTE protocols, however, the algorithms arent as vulnerable, so getting those keys would be essential.

The privacy of all mobile communications voice calls, text messages and Internet access depends on an encrypted connection between the cellphone and the wireless carriers network, using keys stored on the SIM, a tiny chip smaller than a postage stamp, which is inserted into the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. SIM cards can be used to store contacts, text messages, and other important data, like ones phone number. In some countries, SIM cards are used to transfer money. As The Intercept reported last year, [url=]having the wrong SIM card can make you the target of a drone strike[/url].

SIM cards were not invented to protect individual communications they were designed to do something much simpler: ensure proper billing and prevent fraud, which was pervasive in the early days of cellphones. Soghoian compares the use of encryption keys on SIM cards to the way Social Security numbers are used today. Social security numbers were designed in the 1930s to track your contributions to your government pension, he says. Today they are used as a quasi national identity number, which was never their intended purpose.

Because the SIM card wasnt created with call confidentiality in mind, the manufacturers and wireless carriers dont make a great effort to secure their supply chain. As a result, the SIM card is an extremely vulnerable component of a mobile phone. I doubt anyone is treating those things very carefully, says Green. Cell companies probably dont treat them as essential security tokens. They probably just care that nobody is defrauding their networks. The ACLUs Soghoian adds, These keys are so valuable that it makes sense for intel agencies to go after them.

As a general rule, phone companies do not manufacture SIM cards, nor program them with secret encryption keys. It is cheaper and more efficient for them to outsource this sensitive step in the SIM card production process. They purchase them in bulk with the keys pre-loaded by other corporations. Gemalto is the largest of these SIM personalization companies.

After a SIM card is manufactured, the encryption key, known as a Ki, is burned directly onto the chip. A copy of the key is also given to the cellular provider, allowing its network to recognize an individuals phone. In order for the phone to be able to connect to the wireless carriers network, the phone with the help of the SIM authenticates itself using the Ki that has been programmed onto the SIM. The phone conducts a secret handshake that validates that the Ki on the SIM matches the Ki held by the mobile company. Once that happens, the communications between the phone and the network are encrypted. Even if GCHQ or the NSA were to intercept the phone signals as they are transmitted through the air, the intercepted data would be a garbled mess. Decrypting it can be challenging and time-consuming. Stealing the keys, on the other hand, is beautifully simple, from the intelligence agencies point of view, as the pipeline for producing and distributing SIM cards was never designed to thwart mass surveillance efforts.

One of the creators of the encryption protocol that is widely used today for securing emails, Adi Shamir, famously asserted: Cryptography is typically bypassed, not penetrated. In other words, it is much easier (and sneakier) to open a locked door when you have the key than it is to break down the door using brute force. While the NSA and GCHQ have substantial resources dedicated to breaking encryption, it is not the only way and certainly not always the most efficient to get at the data they want. NSA has more mathematicians on its payroll than any other entity in the U.S., says the ACLUs Soghoian. But the NSAs hackers are way busier than its mathematicians.

GCHQ and the NSA could have taken any number of routes to steal SIM encryption keys and other data. They could have physically broken into a manufacturing plant. They could have broken into a wireless carriers office. They could have bribed, blackmailed or coerced an employee of the manufacturer or cellphone provider. But all of that comes with substantial risk of exposure. In the case of Gemalto, hackers working for GCHQ remotely penetrated the companys computer network in order to steal the keys in bulk as they were en route to the wireless network providers.

SIM card personalization companies like Gemalto ship hundreds of thousands of SIM cards at a time to mobile phone operators across the world. International shipping records obtained by The Intercept show that in 2011, Gemalto shipped 450,000 smart cards from its plant in Mexico to Germanys Deutsche Telekom in just one shipment.

In order for the cards to work and for the phones communications to be secure, Gemalto also needs to provide the mobile company with a file containing the encryption keys for each of the new SIM cards. These master key files could be shipped via FedEx, DHL, UPS or another snail mail provider. More commonly, they could be sent via email or through File Transfer Protocol, FTP, a method of sending files over the Internet.

The moment the master key set is generated by Gemalto or another personalization company, but before it is sent to the wireless carrier, is the most vulnerable moment for interception. The value of getting them at the point of manufacture is you can presumably get a lot of keys in one go, since SIM chips get made in big batches, says Green, the cryptographer. SIM cards get made for lots of different carriers in one facility. In Gemaltos case, GCHQ hit the jackpot, as the company manufactures SIMs for hundreds of wireless network providers, including all of the leading U.S. and many of the largest European companies.

But obtaining the encryption keys while Gemalto still held them required finding a way into the companys internal systems.


TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys. They did this by utilizing the NSAs X-KEYSCORE program, which allowed them access to private emails hosted by the SIM card and mobile companies servers, as well as those of major tech corporations, including Yahoo and Google.

In effect, GCHQ clandestinely [url= Gemalto employees[/url], scouring their emails in an effort to find people who may have had access to the companys core networks and Ki-generating systems. The intelligence agencys goal was to find information that would aid in breaching Gemaltos systems, making it possible to steal large quantities of encryption keys. The agency hoped to intercept the files containing the keys as they were transmitted between Gemalto and its wireless network provider customers.

GCHQ operatives identified key individuals and their positions within Gemalto and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations, he would certainly be a good place to start. They did not claim to have decrypted the employees communications, but noted that the use of PGP could mean the contents were potentially valuable.

The cyberstalking was not limited to Gemalto. GCHQ operatives wrote a script that allowed the agency to mine the private communications of employees of major telecommunications and SIM personalization companies for technical terms used in the assigning of secret keys to mobile phone customers. Employees for the SIM card manufacturers and wireless network providers were labeled as known individuals and operators targeted in a top-secret GCHQ document.

According to that April 2010 document, [url= Harvesting at Scale,[/url] hackers working for GCHQ focused on harvesting massive amounts of individual encryption keys in transit between mobile network operators and SIM card personalisation centres like Gemalto. The spies developed a methodology for intercepting these keys as they are transferred between various network operators and SIM card providers. By that time, GCHQ had developed an automated technique with the aim of increasing the volume of keys that can be harvested.

The PCS Harvesting document acknowledged that, in searching for information on encryption keys, GCHQ operatives would undoubtedly vacuum up a large number of unrelated items from the private communications of targeted employees. [H]owever an analyst with good knowledge of the operators involved can perform this trawl regularly and spot the transfer of large batches of [keys].

The document noted that many SIM card manufacturers transferred the encryption keys to wireless network providers by email or FTP with simple encryption methods that can be broken or occasionally with no encryption at all. To get bulk access to encryption keys, all the NSA or GCHQ needed to do was intercept emails or file transfers as they were sent over the Internet something both agencies already do millions of times per day. A footnote in the 2010 document observed that the use of strong encryption products is becoming increasingly common in transferring the keys.

In its key harvesting trial operations in the first quarter of 2010, [url= successfully intercepted keys[/url] used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan. But, the agency noted, its automated key harvesting system failed to produce results against Pakistani networks, denoted as priority targets in the document, despite the fact that GCHQ had a store of Kis from two providers in the country, Mobilink and Telenor. [I]t is possible that these networks now use more secure methods to transfer Kis, the document concluded.

From December 2009 through March 2010, a month before the Mobile Handset Exploitation Team was formed, GCHQ conducted a number of trials aimed at extracting encryption keys and other personalized data for individual phones. In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries. In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, [url= compiled 300,000[/url]. Somali providers are not on GCHQs list of interest, the document noted. [H]owever, this was usefully shared with NSA. [...]