Great Sim Heist
By stealing the crypto keys, spy agencies allowed themselves to wiretap and decrypt any encrypted phone communication at any time. And this is without telecom carriers or government court order. Not only that, but it can allow spy agencies to decrypt previously intercept messages.
When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim),” Snowden wrote in the AMA, “they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.
Gemalto?
Gemalto is an international digital security company providing software applications, secure personal devices such as smart cards and tokens, and managed services. It is the world’s biggest maker of SIMs.
Our governments … should never be weighing the equities in an intelligence gathering operation such that a temporary benefit to surveillance regarding a few key targets is seen as more desireable than protecting the communications of a global system
It was reported that, spy agencies targeted employees a dutch firm, reading siphoned emails, using Facebook to gain information which would help them to hack the employees. Once the hack was carried out, spy agencies planted backdoor and persistence, which would allow them to gain access afterwards.
Although firmware exploitation is nasty,” Snowden responded, “it’s at least theoretically reparable: tools could plausibly be created to detect the bad firmware hashes and re-flash good ones. This isn’t the same for SIMs, which are flashed at the factory and never touched again.
We hear a great deal lately about the value of information sharing in cybersecurity,” he wrote in a blog post about the hack of Gemalto. “Well, here’s a case where NSA had information that the technology American citizens and companies rely on to protect their communications was not only vulnerable, but had in fact been compromised….This is one more demonstration that proposals to require telecommunications providers and device manufacturers to build law enforcement backdoors in their products are a terrible, terrible idea. As security experts have rightly insisted all along, requiring companies to keep a repository of keys to unlock those backdoors makes the key repository itself a prime target for the most sophisticated attackers—like NSA and GCHQ.
