Attacks/Breaches

2/20/2015
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NSA, GCHQ Theft Of SIM Crypto Keys Raises Fresh Security Concerns

Pilfered SIM card encryption keys also could allow the spy agencies to deploy malicious Java applets or to send rogue SMS messages from fake cell towers, experts say.

News that the U.S. National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) reportedly stole encryption keys used in SIM cards manufactured by Gemalto is sure to reignite major concerns over the surveillance tactics employed by two of the world’s largest spy agencies.

The Intercept reported yesterday that documents provided to the paper by Edward Snowden showed the NSA and GCHQ collaborated on a project to break into Gemalto’s networks and steal SIM encryption keys, which are used to protect the privacy of cellphone conversations and text communications.

The $2.7 billion Netherlands-based Gemalto supplies SIM chips used widely in mobile products from AT&T, Verizon, T-Mobile, Sprint and more than 400 wireless service providers around the world. Its chips are also used in bankcards, access cards, passports and identity cards around the world.

The stolen keys give the two agencies a way to intercept and monitor cellphones without the need for a warrant or a wiretap, and without leaving any trace on the wireless service provider’s network, the Intercept report said. The bulk key theft would also allow the two agencies to decrypt any communications that were previously encoded using the associated SIM cards.

Gemalto itself appears to have been totally unaware of the carefully staged operation to break into its networks and steal the encryption keys. According to the Intercept, Snowden’s documents show that the GCHQ with help from the NSA methodically targeted and mined the private communications of employees at Gemalto and elsewhere to find a way to the data they wanted.

As part of the operation, GCHQ planted malware on Gemalto’s networks to gain what appears to have been complete remote access to its systems. GCHQ also targeted systems used by network engineers and those used by sales and marketing teams at various unnamed cellular companies. In addition, the spy agency penetrated authentication servers at several telecom companies to allow it to decrypt data and voice communications of targeted individuals. The intelligence agencies accessed email and Facebook accounts of engineers and other employees as part of an elaborate effort to find a way to lift encryption keys in bulk.

SIM encryption keys -- know individually as a “Ki” -- basically give telecom carriers a way to authenticate mobile device on the network. SIM card manufactures like Gemalto provide mobile carriers a copy of the keys used in SIM cards installed on mobile devices in their network. When a phone joins the network, the key on the device communicates with the copy of the key stored by the carrier as part of the authenticating process.

GCHQ in partnership with the NSA established a Mobile Handset Exploitation Team (MHET) in 2010 to find exploitable vulnerabilities in cellphone technologies, the Intercept reported. One of its missions apparently was to break into the networks of SIM card manufacturers like Gemalto and that of wireless service providers to steal the encryption keys that are used to protect cellphone communications on 3G, 4G and LTE networks. The agencies saw the keys as providing them with an easy way around local and international laws governing surveillance of cell phone communications.

Jonathan Sander, strategy and research officer for STEALTHbits Technologies likened the methods employed by the two agencies to those used by hackers working for criminal gangs. But it's quite likely that most governments are benefitting from the work being done by the NSA and GCHQ and are therefore unlikely to want to do anything about it, he says.

“Even if they are upset, there’s not much they can do. The information technology infrastructure we all participate in is simply too vulnerable to be protected against well funded people with intent to get information they aren’t supposed to have," Sander says.

The stolen keys not only allow the agencies to decrypt protected phone communications but also to deploy malicious Java applets or to send rogue SMS messages from fake cell towers, according to Craig Young senior security researcher at Tripwire.

“Knowledge of security keys used in SIM cards can have wide reaching consequences,” he said via email. “As prior research has described, SIM cards are much like little computers with the ability to run applications at a lower level than the phone’s operating system.” Those with access to the keys can launch sophisticated man-in-the-middle attacks against properly authenticated cellphones, he said.

Jeremy Linden, a senior security product manager at Lookout, says news like this shows why end-to-end encryption is the way to go. “The hack on SIM cards doesn't extend to applications that use their own forms of encryption,” Linden said in emailed comments.

“Encrypted messaging apps and other forms of encrypted communications will help you steer clear of prying eyes.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/21/2015 | 9:07:43 AM
response rather than "concern"
all this hacking should elicit a response rather than a concern.    Get GnuPG: generate your own key.

on x.509 certificates: A " Certificate Authority" should be good enough only for marginal trust.   Use your copy of GnuPG to countersign your certificate for your Cedit Union, Amazon, Tax Software and the like

security is not something that cna be distributed by commercial interests: you have to roll up your sleeves, get your boots on and get to it.

it won't be that hard to set up help centers in the credit unions, schools, and such --
, but: if we continue as we have recently hacking will be worse in 2015 -- and it has already gone beyond the tipping point.   it's unacceptable.   hacking can no longer be swept under the carpet as "part of the cost of business"

start by getting rid of products that do not put security and privacy first.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...
CVE-2018-11239
PUBLISHED: 2018-05-19
An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in ...