Gemalto, a Netherlands-based SIM card manufacturer — which claims to be the world leader in digital security — just took a major hit yesterday: The Intercept reported that US and British spy agencies broke into the company’s network to steal encryption keys that could grant access to billions of mobile phones. In other words: what the company was supposed to secure isn’t secure anymore.
The hack isn’t fresh: it was detailed in a top-secret GCHQ (Government Communication Headquarters) document published by The Intercept and provided by former NSA contractor Edward Snowden.
To fully understand why they targeted Gemalto, here is some background information, as detailed by the publication founded by the journalists who first interviewed whistleblower Snowden.
The privacy of all mobile communications — voice calls, text messages and Internet access — depends on an encrypted connection between the cellphone and the wireless carrier’s network, using keys stored on the SIM, which stores and guards the encryption keys created by companies like Gemalto.
SIM cards are used to store contacts, text messages, and other important data such as the user’s phone number, but they can be used to transfer money.
As a general rule, phone companies do not manufacture SIM cards, nor program them with secret encryption keys. It is cheaper and more efficient for them to outsource this sensitive step in the SIM card production process. They purchase them in bulk with the keys pre-loaded by other corporations. Gemalto is the largest of these SIM “personalization” companies. In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”
It is worth noting here that among Gemalto’s customers we find Verizon, AT&T, Vodafone, and Rogers, which back in 2012 partnered up for SIM-based NFC mobile payments.
The stolen encryption keys granted the NSA and GCHQ access to a large portion of voice and data mobile communications across the globe without the need to ask for permission from governments, telecom companies, or users.
Gemalto has officially launched an investigation on the matter. In the first public comments on the matter, Gemalto says it wasn’t a target per se — although some are skeptical about this — but it was [the spy agencies’] attempt to “try to cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators’ and users’ consent.”