Edward Snowden’s data trove continues bearing fruit — and the implications of the latest release are dark for anyone who cares even slightly about mobile privacy. According to the once-secret documents, the NSA and its British counterpart, the GCHQ, engaged in a massive operation against one of the world’s largest mobile SIM card manufacturers, Gemalto. To understand the significance of this release it helps to know a bit about how SIMs are used. When you use 3G or 4G connections, the connection between your device and your cell phone carrier is encrypted. That encryption isn’t perfect, but cracking it is still time-consuming, particularly if the goal is to monitor millions of people simultaneously.
Each SIM card has its own unique encryption sequence, known as a “Ki.” Carriers are provided with a copy of each Ki on their networks, which enables them to track and authenticate each device. Cracking the communication between your phone and the network is difficult. If you already have the Ki, however, it’s simple. As The Intercept notes, the SIM card manufacturing and distribution pipeline was never designed to withstand government surveillance attacks.
The scale of the attack against Gemalto has to be read to be believed. The US and British intelligence agencies went after individual employees directly, monitored Facebook accounts, and carefully selected targets for hacking — not because they’d allegedly done anything wrong, but because they were likely to possess information that would facilitate blatantly illegal activity. At the same time, the GCHQ successfully infiltrated Gemalto’s corporate network, stealing additional information and Ki data.
The result? Millions of SIM card keys intended for various countries across the world were leaked to the NSA and GCHQ. Dozens, perhaps hundreds of individuals had their email and social media accounts cracked for the purpose of facilitating further espionage.
The intelligence agencies themselves are firmly insisting that these activities are moral, legal, and valid, but it’s unlikely that targeted countries will agree. Again, the companies and individuals targeted in this manner were not accused, charged, or even suspected of having committed a crime. The sole reason given for such egregious violations is “Well, you had information that we wanted.”
There have always been legal distinctions made between state-sanctioned and unlawful behavior, but the gap between draconian punishments for relatively minor hacking crimes and the dizzying display of government behavior is widening rapidly. As Sophie in’t Veld, a Dutch member of the European Parliament observed, “If you are not a government and you are a student doing this, you will end up in jail for 30 years.”
Gemalto’s security keys and products are used in hundreds of millions of devices, from passports to cell phones. It has huge customers in every first world nation — and according to company executives, was utterly unaware that it had been so thoroughly penetrated by foreign intelligence services. The company is investigating, but securing any international supply chain or network will take time given the scope and nature of the alleged theft. This isn’t the first GCHQ – NSA collaboration, either. The two agencies worked together togather webcam data on Yahoo users, and the NSA tapped data cables between the US and the United Kingdom in order to tap Google’s internal, encryption-free links.
No comments:
Post a Comment