Gemalto — the world’s leading manufacturer of SIM cards for wireless carriers including Verizon, AT&T, T-Mobile and Sprint — said Friday it’s investigating the recent report that U.S. and British intelligence agencies stole the company’s encryption keys, giving them potential access to billions of cellphones worldwide.
The report by The Intercept published Thursday based on documents leaked by former National Security Agency contractor Edward Snowden reveals the agency, along with Britain’s Government Communications Headquarters, hacked into the email and Facebook accounts of telecommunications and SIM card manufacturer employees.
According to the report, GCHQ essentially “cyberstalked” employees, putting together enough information to access Gemalto’s systems and steal encryption keys. Such keys are used to decrypt data transmitted through mobile SIM cards, of which the company produces 2 billion annually for the largest carriers in the U.S.
The stolen keys would allow agencies to monitor the calls, texts emails and more of billions of cellphone users globally, and expand the NSA’s known surveillance capabilities beyond downstream data, which the agency obtains directly from companies via government order, and upstream data, which the agency collects by tapping into the physical infrastructure of the Internet.
Including mobile communications in the agency’s toolset expands its reach to intimately surveil targets dramatically.
The Franco-Dutch Gemalto said Thursday that it was previously unaware of any security breach, and on Friday said it was still investigating.
“‘We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques,’ said Gemalto, whose shares sunk by as much as 10 percent in early trading on Friday,” Reuters reports.
“We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” Gemalto said according to Forbes.
“Gaining access to a database of keys is pretty much game over for cellular encryption,” cryptography specialist Matthew Green said in The Intercept report.
The report was based in large part on a leaked GCHQ document from 2010 that included a slide with the quote, “We believe we have their entire network,” said in reference to Gemalto. In addition to detailing the break-in, the report indicates “many” SIM card manufacturers transmitted keys with weak or no encryption at all, leaving a wide-open security gap to be taken advantage of by the agencies.