“Security to be Free”? No. The Gemalto hack shows that nothing seems to be off-limits

19th February this year saw yet another revelation by the Intercept based on documents provided by NSA-whistleblower Edward Snowden. The Intercept reported that NSA and GCHQ in collaboration had

hacked into the internal computer network of the largest manufacturer of SIM cards in the world, Gemalto [a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards], stealing encryption keys used to protect the privacy of cellphone communications across the globe.

This hack potentially gave the intelligence agencies the ability to “to secretly monitor a large portion of the world’s cellular communications, including both voice and data.”

As Gemalto’s customers include “AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world” including EE, Vodafone and Orange, and as it produces “some 2 billion SIM cards a year” as well as “covers for electronic U.S. passports, which contain chips and antennas that can be used to better authenticate travellers”, the magnitude of the alleged hack is vast.


“Bad news for phone security. Really bad news.”

Why is this a problem?

I have, on a number of occasions, written about encryption and how it is the one thing that can effectively protect us from surveillance. Reminder: encryption turns anything that it protects into unintelligible gibberish for anyone who doesn’t have the proper key. If GCHQ and NSA have indeed obtained Gemalto’s encryption keys, this would allow them to simply unlock the encryption on Gemalto-manufactured SIM cards and turn the gibberish back into readable content – without being noticed and without anyone’s approval:

intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted.

To employ a much-used metaphor: if encryption is the lock on the door to your house, anyone with the key could just walk in, have a good nosey (i.e. go through everything including your diary, photos and contacts book), make copies of whatever they want and you’d be none the wiser because there would be no signs of a break-in. Actually, it’s worse than that:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment.

The police could search your house without a warrant, if they wanted to. What they could also do, would be to read all the private communications they have obtained previously, i.e. all the stuff they have stored in that massive haystack of theirs but so far hadn’t been able to read because it was encrypted:

Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

So not only can, and do, they store all our communication, they can also now read it, retrospectively, if they want to.

Let’s have another metaphor to illuminate the problem further:

In the olden days, people used to send correspondence they didn’t want others to read in envelopes secured by a personal seal. If the seal was broken, the recipient would know that someone other than himself or the sender had read the letter in transit. Cryptography works like a very sophisticated seal, preventing emails, messages, phone calls and so on from being read or listened to by anyone other than sender and recipient. With encrypted email, for example, ideally only the recipient can break the seal because only they have the means to do so – one of a set of two complementary keys. Someone who has access to that set of keys, could effectively break the seal without anyone noticing and then replace it as if nothing had happened.

Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.


The thing with the keys

So, how did NSA and GCHQ get their hands on that ring of master keys that allows them to unlock and walk into anyone’s apartment in the metaphorical block of flats?

Basically, they have broken into the superintendent’s home and stolen the key ring from there. The superintendent in this case is Gemalto – or its employees:

Top-secret GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys.

And because NSA and GCHQ were apparently very sneaky about breaking in and making copies of the keys (it’s what spies do, after all, obtain secret information in secret), Gemalto didn’t even notice what had happened.

NSA and GCHQ did this by using an old friend we have previously heard about: xKeyscore, a spy programme that allows them “access to private emails hosted by the SIM card and mobile companies’ servers, as well as those of major tech corporations, including Yahoo and Google.”

Effectively, they “cyberstalked Gemalto employees, scouring their emails.” Those emails so scoured included private communications. Suddenly, it’s not just THE TERRORISTS who are under surveillance (both metadata and content) but private individuals who have done nothing wrong, except working for a company that manufactures something that is essential to the mobile communications of everybody in the world: SIM cards.

Ask yourselves:

  • Is SIM card manufacturing something sinister?
  • Is working for a SIM card manufacturer something sinister?
  • Should employees of a SIM card manufacturer be stalked and surveilled?
  • Should every single one of us have their private communications seized and compromised because our sealed letters can be opened, our flats unlocked, our houses broken into without any sign of a break-in or a search warrant?

If you think the answer to all of the above is no, then you should be very, very concerned because that’s exactly what’s possible now. By “harvesting” thousands of keys, GCHQ and NSA in 2010 obtained the means to unlock the encryption of millions of phones:

While it

it is impossible to know how many keys have been stolen by the NSA and GCHQ to date… even using conservative math, the numbers are likely staggering.

While SIM encryption has, as The Verge points out, been traditionally weak, it is astounding to which lengths the agencies are willing to go to secure even the most minimal advantage.

Gemalto itself launched an internal investigation (which lasted only six days) into the NSA/GCHQ hack but, according to the Intercept,

tried to downplay the significance of NSA and GCHQ efforts… — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.

So while Gemalto claims that “while the agencies did get into its network, they didn’t get in far enough to siphon off phone-call encryption keys”, the documents obtained by Snowden seem to prove otherwise. What they show in any case, is that US and UK intelligence agencies are perfectly willing to steal from telecoms companies and Trevor Timm thus asks correctly, why “any company – let alone the rest of us – [would] trust a government that is so willing to hack them?”


Is nothing off-limits?

And even if NSA and GCHQ aren’t using the keys obtained to monitor the private communications of millions of users, the targeting of tech company employees is still in direct contradiction to what President Obama said on January 17th, 2014:

The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures.

And despite what GCHQ’s standard statement might claim, what NSA and GCHQ have done is not unanimously considered legal by every government in the world:

It is governments massively engaging in illegal activities,” says Sophie in’t Veld, a Dutch member of the European Parliament. “If you are not a government and you are a student doing this, you will end up in jail for 30 years.

So, as Trevor Timm asks:

If cyberstalking the personal emails and Facebook accounts of completely innocent employees at a telecom company that was never accused of a crime – in an attempt to steal massive amounts of data – is “within [the intelligence agencies’] legal framework”, is there anything that isn’t?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s