Spy agencies compromised world’s largest SIM card maker
It’s no secret that governmental agencies the world around are using all sorts of techniques to monitor what we do on our smartphones. Sometimes that’s using a court order to get access to a suspect’s device; sometimes that’s convincing a carrier to hand over bulk records for all its subscribers, guilty and innocent alike; sometimes it even means setting up a fake cellular tower to trick our phones into giving up information on themselves. But now a new report shines light on what could be one of the most far-reaching efforts to date, as British and American spies infiltrated the company behind a good fraction of the world’s SIM cards, compromising the encryption keys that protect our smartphone communications.
Leaked GCHQ docs show the British agency working in concert with the NSA to get access to the internal network of Gemalto, a firm that makes upwards of two billion SIM chips a year, including those going out to subscribers of all four big US carriers.
Cellular communications between your phone and your network’s towers are encrypted with the help of keys stored on those SIM chips, and by getting access to these keys before the SIMs even shipped out of the factory, the NSA and GCHQ appear to have given themselves the tools they need to passively sniff cellular data.
That’s hugely more advantageous than the tower-impersonation scheme we mentioned earlier, as it’s both nearly immune to detection and enables the gathering of data on a much larger scale.
The good news, if there’s any in all of this, is that your smartphone data (voice is another story) might already be hardened against such monitoring. If you’re using apps that implement their own encryption, as most good ones will do, being able to read data as it flies between your phone and the tower becomes of much limited use. If you funnel your phone data through an encrypted VPN, you’re doing one better, adding an extra layer of security for all your data.
Gemalto is currently investigating just how this all might have happened, and taking steps to see that its SIM keys are more secure in the future.