Attacks/Breaches
2/20/2015
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NSA, GCHQ Theft Of SIM Crypto Keys Raises Fresh Security Concerns

Pilfered SIM card encryption keys also could allow the spy agencies to deploy malicious Java applets or to send rogue SMS messages from fake cell towers, experts say.

News that the U.S. National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) reportedly stole encryption keys used in SIM cards manufactured by Gemalto is sure to reignite major concerns over the surveillance tactics employed by two of the world’s largest spy agencies.

The Intercept reported yesterday that documents provided to the paper by Edward Snowden showed the NSA and GCHQ collaborated on a project to break into Gemalto’s networks and steal SIM encryption keys, which are used to protect the privacy of cellphone conversations and text communications.

The $2.7 billion Netherlands-based Gemalto supplies SIM chips used widely in mobile products from AT&T, Verizon, T-Mobile, Sprint and more than 400 wireless service providers around the world. Its chips are also used in bankcards, access cards, passports and identity cards around the world.

The stolen keys give the two agencies a way to intercept and monitor cellphones without the need for a warrant or a wiretap, and without leaving any trace on the wireless service provider’s network, the Intercept report said. The bulk key theft would also allow the two agencies to decrypt any communications that were previously encoded using the associated SIM cards.

Gemalto itself appears to have been totally unaware of the carefully staged operation to break into its networks and steal the encryption keys. According to the Intercept, Snowden’s documents show that the GCHQ with help from the NSA methodically targeted and mined the private communications of employees at Gemalto and elsewhere to find a way to the data they wanted.

As part of the operation, GCHQ planted malware on Gemalto’s networks to gain what appears to have been complete remote access to its systems. GCHQ also targeted systems used by network engineers and those used by sales and marketing teams at various unnamed cellular companies. In addition, the spy agency penetrated authentication servers at several telecom companies to allow it to decrypt data and voice communications of targeted individuals. The intelligence agencies accessed email and Facebook accounts of engineers and other employees as part of an elaborate effort to find a way to lift encryption keys in bulk.

SIM encryption keys -- know individually as a “Ki” -- basically give telecom carriers a way to authenticate mobile device on the network. SIM card manufactures like Gemalto provide mobile carriers a copy of the keys used in SIM cards installed on mobile devices in their network. When a phone joins the network, the key on the device communicates with the copy of the key stored by the carrier as part of the authenticating process.

GCHQ in partnership with the NSA established a Mobile Handset Exploitation Team (MHET) in 2010 to find exploitable vulnerabilities in cellphone technologies, the Intercept reported. One of its missions apparently was to break into the networks of SIM card manufacturers like Gemalto and that of wireless service providers to steal the encryption keys that are used to protect cellphone communications on 3G, 4G and LTE networks. The agencies saw the keys as providing them with an easy way around local and international laws governing surveillance of cell phone communications.

Jonathan Sander, strategy and research officer for STEALTHbits Technologies likened the methods employed by the two agencies to those used by hackers working for criminal gangs. But it's quite likely that most governments are benefitting from the work being done by the NSA and GCHQ and are therefore unlikely to want to do anything about it, he says.

“Even if they are upset, there’s not much they can do. The information technology infrastructure we all participate in is simply too vulnerable to be protected against well funded people with intent to get information they aren’t supposed to have," Sander says.

The stolen keys not only allow the agencies to decrypt protected phone communications but also to deploy malicious Java applets or to send rogue SMS messages from fake cell towers, according to Craig Young senior security researcher at Tripwire.

“Knowledge of security keys used in SIM cards can have wide reaching consequences,” he said via email. “As prior research has described, SIM cards are much like little computers with the ability to run applications at a lower level than the phone’s operating system.” Those with access to the keys can launch sophisticated man-in-the-middle attacks against properly authenticated cellphones, he said.

Jeremy Linden, a senior security product manager at Lookout, says news like this shows why end-to-end encryption is the way to go. “The hack on SIM cards doesn't extend to applications that use their own forms of encryption,” Linden said in emailed comments.

“Encrypted messaging apps and other forms of encrypted communications will help you steer clear of prying eyes.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/21/2015 | 9:07:43 AM
response rather than "concern"
all this hacking should elicit a response rather than a concern.    Get GnuPG: generate your own key.

on x.509 certificates: A " Certificate Authority" should be good enough only for marginal trust.   Use your copy of GnuPG to countersign your certificate for your Cedit Union, Amazon, Tax Software and the like

security is not something that cna be distributed by commercial interests: you have to roll up your sleeves, get your boots on and get to it.

it won't be that hard to set up help centers in the credit unions, schools, and such --
, but: if we continue as we have recently hacking will be worse in 2015 -- and it has already gone beyond the tipping point.   it's unacceptable.   hacking can no longer be swept under the carpet as "part of the cost of business"

start by getting rid of products that do not put security and privacy first.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Tell the sysadmin that we have a situation.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.