NSA, British spies hack world's largest SIM card firm, Snowden leak shows

The operatives reportedly obtained the encryption keys by cyber-stalking employees of Gemalto, a multi-national firm incorporated in the Netherlands that makes the chips used in cellular phones, biometric passports and next-generation credit cards. The company's clients include AT&T, T-Mobile, Verizon, Sprint and some 450 other wireless providers in the world.

The theft gave operatives the potential to secretly spy on a large part of the world’s cellular communications, including voice and data, the Intercept reported.

Normally, agencies would have to receive approval from telecom companies and foreign governments to access such data. Hacking the encryption keys allowed them to sidestep the process of getting a warrant or wiretap, allowing no trace to be left of the surveillance.

One secret GCHQ slide boasted, we “believe we have their entire network.”

“I’m disturbed, quite concerned hat this has happened,” Paul Beverly, a Gemalto executive VP, told Intercept. “The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years. What I want to understand is what sort of ramifications it has, or could have, on any of our customers.”

He added that “the most important thing for us now is to understand the degree of the breach.”

The company has begun an investigation into the data breach but have not found any trace of the hack, according to the Intercept. A GCHQ spokesperson said the agency did not comment on intelligence matters. NSA could not be immediately reached for comment.

Privacy advocates and security experts said it would require billions of dollars and significant political pressure to fix the security flaws exploited by intelligence agencies.

There are some effective communications software that allow individuals to protect themselves from such Surveillance, instead of relying on SIM card-based security that has proven flawed.

Secure software includes email and other apps that that use Transport Layer Security (TLS), the same mechanism that forms the secure HTTPS web protocol, the Intercept said.

TextSecure and Silent Text are apps that provide more secure communications, and Signal, RedPhone and Silent Phone encrypt voice communications. Governments may still be able to gather those communications, but would have to hack each specific handset to read or listen to them. This requires more work than the bulk data collection made possible by hacking the encryption key in SIM cards, and would be noticeable to a sophisticated “target,” the Intercept said.

“We need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages," Soghoian told the Intercept.

With wire services