Your Mobile Privacy is Under Threat Because of US and UK Spies

Image by Mozilla in Europe on Flickr. Taken on February 24, 2014. CC-BY 2.0

Image by Mozilla in Europe on Flickr. Taken on February 24, 2014. CC-BY 2.0

One of the “biggest Snowden stories yet” has arrived today, according to journalist Glenn Greenwald.

Spies from the United States’ National Security Agency (NSA) and the United Kingdom's Government Communication Headquarters (GCHQ) “hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe.” The information was obtained from top-secret documents leaked by Edward Snowden.

So what, exactly, did the spy agencies do? According to journalist Jeremy Scahill (who also works for The Intercept with Greenwald):

Encryption keys are what keep encrypted communications private to third parties, such as governments. In the case of mobile technology, the key is stored in the SIM card [pdf], and the mobile carrier also holds a copy.

Communications are encrypted between the carrier and the phone only, meaning that the mobile carrier can use their key to access your data. Typically, a mobile carrier would only hand over the key if compelled to do so by law enforcement. Therefore, by hacking into the network of Gemalto, the world's largest SIM card manufacturer, the spy agencies are able to bypass the rule of law and gain access to the SIM encryption keys of potentially billions of mobile phone users, allowing them to decrypt phone calls, text messages, and other traffic.* 

On Twitter, many readers seemed unsurprised by the latest news, considering all of the leaks that came before it.

@AnonyOps questioned the efficacy of the hack, asking:

Privacy International's Eric King joked:

Another important question raised by the story is who is affected by the breach. As The Intercept points out, Gemalto's clients include US mobile carriers AT&T, T-Mobile, Verizon, and Sprint, as well as 450 wireless network providers around the world.

“The company operates in 85 countries and has more than 40 manufacturing facilities,” they report. The piece also mentions Vodafone (Europe), Orange (France), EE (Europe), Royal KPN (the Netherlands), China Unicom, NTT (Japan), and Chungwa Telecom (Taiwan), as well as “scores of wireless network providers throughout Africa and the Middle East.” A look at Gemalto's website also unearths China Mobile and South Africa's MTN as partners; the company's Wikipedia page shows telecom clients in Turkey and Italy, as well.

Some readers expressed anger at the two countries for their seemingly endless spying.

Claudio Guarnieri, an Italian malware expert, tweeted:

Maher Arar, a Syrian-Canadian who was once renditioned by the US to Syria and reportedly tortured while in custody, wrote:

Gemalto, the company at the center of the story, has not yet responded publicly, but a video from the manufacturer shows its good intentions:

*It's worth noting that this does not allow NSA and GHCQ to access calls, messages, and other communications that are encrypted by other, additional means, such as tools like RedPhone or ChatSecure. For more information on mobile security, check out Surveillance Self-Defense or Security in a Box.

1 comment

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.