Last week we saw the emergence of a troubling report, one claiming that the GCHQ and NSA compromised the security of SIM-card-maker Gemalto, accessing encryption keys that would in theory allow the spy agencies to passively monitor cellular communications as they moved from our phones to cellular towers. It was quite the alarming claim, but one that was difficult to immediately quantify in terms of its impact on end users: just what could such a hack conceivably mean for the security of your data? Today Gemalto has released a follow-up statement looking into the scope of the attack on its networks, while another report warns of some even more severe consequences.
The general tone of Gemalto’s internal inquiry is that for the most part, this hack probably isn’t a big deal. It claims that the agencies in question would have had, at worst, access to some office networks that wouldn’t empower them to steal encryption keys en masse. While it acknowledges that some attacks may have been possible, it suggests we’re not looking at a situation where these spies have access to the keys protecting billions and billions of SIMs. And though keys could have been grabbed when sharing them with certain carriers, Gemalto uses a secure communication scheme for the majority of such transfers, one it does not believe is implicated in these hacks.
That said, in cases where the NSA and GCHQ did get their dirty little hands on keys, it’s possible that they could be up to a lot worse than simply monitoring cellular traffic. Possession of SIM OTA keys would enable these agencies to remotely install malicious software directly to the SIM cards of targeted phones. These programs could force SIMs to turn against their users, continually reporting location data back to the agencies, or selectively interfering with communications.