New documents from whistleblower Edward Snowden reveal the National Security Agency (NSA) and the British GCHQ hacked into a SIM card manufacturer in the Netherlands and now has access to encryption keys that allow monitoring of voice calls and metadata.
The Intercept released the new documents which detail the existence of the Mobile Handset Exploitation Team (MHET), a team formed in April 2010 to study and target cellphones and hack computer networks of manufacturers of SIM cards. The team specifically targeted Gemalto, a SIM card manufacturer based in the Netherlands that produces SIM cards for 450 wireless companies, including AT&T, Sprint, T-Mobile, and Verizon. Gemalto has operations in 85 countries around the world.
Internal slides from the NSA and GCHQ show that the team was after encryption keys that “live in” the SIM cards. By possessing these keys the spy agencies are able to access wireless networks without leaving any clues and without the need for a warrant. Beyond simply accessing current communications, accessing “authentication servers” allows the agencies to unlock past encrypted communications they may not have had the ability to decrypt. One agent wrote on a slide that he was “very happy with the data so far and [was] working through the vast quantity of product.”
The 2010 document refers to this as “PCS Harvesting at Scale,” or harvesting large amounts of encryption keys as the data passed between the wireless providers and the “SIM card personalisation centres,” such as Gemalto. The NSA boasted at having the ability to process 12 to 22 million keys per second. The spy agency was aiming to process more than 50 million per second. These keys are processed and made available for use against surveillance targets.
Indeed, the GCHQ specifically targeted individuals in key positions within Gemalto and began accessing their emails in hopes of following their trail into the SIM card manufacturers servers. The team of spies even wrote a script which allowed them to access private communications of employees for telecommunication and SIM “personalization” companies in search of technical terms that might be used in assigning encryption keys to cellphone customers.
Paul Beverly, a Gemalto executive vice president, told The Intercept he believed,“The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years.”
More than likely the NSA and the GCHQ violated international law every time they covertly accessed the emails of employees in foreign nations. Dutch officials are already calling for an investigation into who knew the American and British agencies were conducting such a program, and if so, under what doctrine is such a policy allowed.
As Edward Snowden continues to unveil disturbing uses of surveillance against innocent users of the technology, it is important to remain educated and informed about the way global governments target their own citizenry. Learning to encrypt your communications and watch what you say on the phone becomes largely useless when the government has access to the SIM card itself. What is a free person to do in the Surveillance State of 2015? How can we find balance between freedom and security?
Leave your thoughts below.