File / GDA / AP

NSA, British spies hack world's largest SIM card firm, Snowden leak shows

Agencies hacked encryption keys of chips used in billions of mobile phones, allowing access to voice, data

American and British spies hacked the world’s largest SIM card producers, giving them access to the private data of billions of cellular phone users around the world, according to the latest documents leaked by NSA whistleblower Edward Snowden.

A joint unit of operatives from the National Security Agency (NSA) and its U.K. counterpart Government Communications Headquarters (GCHQ) successfully obtained the encryption keys that protected cell phone privacy, according to a secret 2010 GCHQ document revealed Thursday on the Intercept

"Key theft enables the bulk, low-risk surveillance of encrypted communications,” Chris Soghoian, principle technologist at the American Civil Liberties Union (ACLU) told the Intercept. “Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It’s like a time machine, enabling the surveillance of communications that occurred before someone was even a target."

Click here for more coverage of the NSA Leaks.

The operatives reportedly obtained the encryption keys by cyber-stalking employees of Gemalto, a multi-national firm incorporated in the Netherlands that makes the chips used in cellular phones, biometric passports and next-generation credit cards. The company's clients include AT&T, T-Mobile, Verizon, Sprint and some 450 other wireless providers in the world.

The theft gave operatives the potential to secretly spy on a large part of the world’s cellular communications, including voice and data, the Intercept reported.

Normally, agencies would have to receive approval from telecom companies and foreign governments to access such data. Hacking the encryption keys allowed them to sidestep the process of getting a warrant or wiretap, allowing no trace to be left of the surveillance.

One secret GCHQ slide boasted, we “believe we have their entire network.”

“I’m disturbed, quite concerned hat this has happened,” Paul Beverly, a Gemalto executive VP, told Intercept. “The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.”

He added that “the most important thing for us now is to understand the degree of the breach.”

The company has begun an investigation into the data breach but have not found any trace of the hack, according to the Intercept. A GCHQ spokesperson said the agency did not comment on intelligence matters. NSA could not be immediately reached for comment.

Privacy advocates and security experts said it would require billions of dollars and significant political pressure to fix the security flaws exploited by intelligence agencies.

There are some effective communications software that allow individuals to protect themselves from such Surveillance, instead of relying on SIM card-based security that has proven flawed.

Secure software includes email and other apps that that use Transport Layer Security (TLS), the same mechanism that forms the secure HTTPS web protocol, the Intercept said.

TextSecure and Silent Text are apps that provide more secure communications, and Signal, RedPhone and Silent Phone encrypt voice communications. Governments may still be able to gather those communications, but would have to hack each specific handset to read or listen to them. This requires more work than the bulk data collection made possible by hacking the encryption key in SIM cards, and would be noticeable to a sophisticated “target,” the Intercept said.

“We need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages," Soghoian told the Intercept.

With wire services

Find Al Jazeera America on your TV

Get email updates from Al Jazeera America

Sign up for our weekly newsletter

Get email updates from Al Jazeera America

Sign up for our weekly newsletter