You might not have heard the name “Gemalto” before, but you almost certainly have one of their products in your pocket. As the world’s largest maker of SIM cards, it’s a company that’s directly responsible for making sure your cell phone connects to the right wireless network. According to documents released by Edward Snowden and obtained by The Intercept, though, it was also the target of a covert, coordinated hack committed by NSA agents and allies at Britain’s Government Communications Headquarters. Their goal? To quietly get their hands on the encryption keys that keep our phone calls and text messages private so they could tap people’s communications without raising suspicions.
Gemalto never saw it coming.
The operation sounds more than a little like a pulp cyberpunk novel, starting with the creation of the Mobile Handset Exploitation Team in mid-2010. It was a joint team of operatives from both agencies, and they promptly got to work. It wasn’t long before they breached Gemalto’s networks and used malware to open a backdoor (later hacks targeted some of the company’s biggest rivals). Then they used the NSA’s XKeyscore tool to dig into the email and social accounts of employees in search of data that would lead them in the right direction. Eventually, through prolonged surveillance, the team succeeded in harvesting millions of so-called “kis” — the encrypted identifier shared by your SIM card and the wireless carrier it’s attached to.
By striking before the keys could be transferred to Gemalto’s carrier partners, the MHET could scoop them up hand over fist, and (surprise, surprise) there’s no firm word on how many of more those keys have slurped up by Western intelligence agencies. So what’s an intensely curious government body supposed to do with all these things? Use them to speed up the surveillance process, naturally. With a treasure trove of keys at their disposal, groups like the NSA can take the easy way out and use data collection tools (like “spy nest” antennas sitting atop embassies) to slurp up encrypted communications on the fly. Since they’ve already got the keys handy, they can just decrypt voice calls and text messages at their own leisure. The whole thing is equal parts brilliant and horrifying.
Worst part is, we’re probably all susceptible to surveillance. The combination of Gemalto’s worldwide prominence and the NSA and GCHQ’s craftiness made sure of that. We’re not totally screwed, though — using secure services like TextSecure and SilentCircle for calls and texts add an extra layer of protection the NSA can’t easily break into. These days, basically nothing is 100 percent secure, but that doesn’t mean we have to make it easy for any potentially prying eyes.