The NSA Has Access to Your Cell Phone’s Encryption Key. And Everyone Else’s Too.


The surveillance state, it turns out, is even bigger and badder than we thought. Previously, the story from the NSA has been: yes, we have access to petabytes of telephone metadata (who you called, what time you called, etc.), but we don’t have routine access to your actual conversations. And this even made a kind of sense: telephone companies store bulk metadata and can make it available to the NSA. They don’t record phone conversations. Besides, on cell phones those conversations are encrypted anyway.

But guess what? That encryption depends on a key stored on the SIM card inside your cell phone. If you have access to the key, you can listen in to all the conversations you want.

You know what’s coming next, don’t you? Here is Jeremy Scahill at the Intercept:

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ.

….The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world.

….According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access….Most significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network. A note accompanying the slide asserted that the spy agency was “very happy with the data so far and [was] working through the vast quantity of product.”

The folks at Gemalto say they had no idea any of this had happened. Apparently it was a very stealthy hack indeed. As you might expect, there is much, much more at the link.