National Security Agency and its British counterpart, the GCHQ, hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe. The secret operation targeted the Dutch company Gemalto. Its clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. It produces two billion SIM cards a year. According to The Intercept, the stolen encryption keys give intelligence agencies the ability to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.
Agents from the NSA and the GCHQ formed the Mobile Handset Exploitation Team in 2010 to specifically target vulnerabilities in cellphones. The intelligence agencies obtained the encryption keys by hacking into the email and Facebook accounts of engineers and other employees of Gemalto and other major companies. Some of the employees were singled out for sending PGP-encrypted files.
Chris Soghoian talking:
what we’ve learned is that GCHQ has been engaged in an extremely aggressive effort to obtain these encryption keys. In essence, over the last probably five years or so, telecom companies, wireless carriers around the world have upgraded their networks and moved from older, less secure, second-generation phone technology to more secure, 3G and 4G technology, and as the networks have moved to this newer technology, it’s become much more difficult for governments to spy on communications that take place outside of their own countries. So, for GCHQ, for NSA, for the Chinese and for the Russian governments to be able to spy on telephone calls everywhere in the world, they need these kinds of keys. What we’ve learned just yesterday is that by hacking into one of the largest manufacturers of SIM cards and the keys that are on them, GCHQ has really acquired a huge amount of information that will make—that will make bulk surveillance of telephone communications very, very easy.
there’s a special an NSA-CIA outfit called the Special Collection Service, SCS. And so, they’re based out of embassies and consulates around the world, and they install these antennas on the roofs of embassies and other buildings. And with those antennas, they’re able to grab the data from phones as it’s sent over the air. And so, what they’ll do is they’ll set up these what are called spy nests and grab as many telephone communications as they possibly can and save them. But these telephone communications, telephone calls, text messages and other information are encrypted. And so they save the information, and then once they have the keys, either because they hack into a company like Gemalto or they bribe an engineer or blackmail an engineer, then they can decrypt the communications. And so, essentially, wiretapping then just becomes a mere task of installing an antenna somewhere and recording data.
Social Security numbers were designed in the 1930s for a pretty mundane and basic task, which was keeping track of one’s contributions to their retirement account, their government retirement account. But today they’re used as a quasi-national identification number. We’re supposed to give our Social Security numbers to, you know, a huge number of organizations. It’s how we’re tracked. And the reason we sort of have this system is because there was no formal national identity number. Everyone wants to have one, and so the Social Security number has sort of been forced into that role, but it’s a role that it was never designed or intended for.
By the same token, SIM cards were never really intended to provide strong confidentiality of communications. They weren’t intended to provide strong encryption or strong protection of our communications. Instead, they were really intended to protect telephone numbers and telephone accounts from fraud. In the ’80s and 1990s, there was a huge wave of fraud where people were doing what’s called cellphone cloning, and they were billing calls to other people’s accounts. And this was a huge problem for the phone companies. They needed a solution. And SIM cards and the encryption keys within them were the solution that they came up with.
You know, we should understand that SIM cards probably cost, you know, 50 cents or a dollar in bulk. These are not, you know, extremely sophisticated, high-security devices. They are basic bits of technology that are designed for one job, which is fraud, that we now depend on for so much more. And if this story demonstrates one thing and one thing alone, it’s that SIM cards and the system of security that surrounds them just isn’t up to the job of protecting our communications.
All intelligence agencies operate out of embassies, sometimes with cover. You know, last summer, Der Spiegel published a slide listing the locations of NSA-CIA Special Collection Service sites around the world. This is something that’s been written about in books before. It’s not a big secret. And after the Angela Merkel, spying story first broke, one of the German newspapers even published thermal imaging photographs of the spy nest on the roof of the U.S. Embassy in Berlin before the story and after the story, showing that the station had been shut down and was—as it was thus generating much less heat and using much less electricity.
GCHQ and NSA believe that, essentially, anything is justified as long as it gets them to where they want to be. The engineers at Gemalto were not accused of breaking the law. Gemalto itself is not a criminal enterprise. But these governments want the keys that Gemalto has, and so they’re willing to do anything it takes to get that.
You know, in the last few moments that I have, I really want to let your listeners know that there are things that you can do right now to protect your communications, that the telephone companies have not shown any interest in providing us with secure communications. You cannot trust the voice or text message services provided by your wireless carrier, so you need to download apps. There are some built into the iPhone—iMessage and FaceTime. There are tools like WhatsApp that are—that’s distributed by Facebook. And there are some even better tools like Signal, which is supported by the U.S. government, actually. You can download apps and services and make encrypted telephone calls, send encrypted text messages, that governments cannot easily intercept. But those tools will not be provided to you by your telephone company. You need to take steps and take matters into your own hand.
GCHQ, which is Britain’s intelligence agency, hacked into this major Dutch supplier of SIM cards. This is a company that provides these microchips to wireless carriers around the world, and these are the chips that provide the security that’s in our phones. They secure the communications between our phone and the phone network and are intended to protect our calls and text messages from interception by private parties.
the anecdotes that are revealed in the story suggest that Gemalto and its wireless carrier partners have at times followed pretty pathetic security practices, and so it didn’t seem like—that GCHQ had to work too hard in some cases. But, you know, that was just for some of the collection. In other cases, it seems like GCHQ’s hackers targeted and hunted individual engineers and employees. I mean, they were stalking these engineers online in an effort to compromise their email accounts, their Facebook accounts, and then ultimately to compromise their computers as a way to gain access to the inner sanctum of Gemalto’s network. That kind of stalking of engineers is really terrifying, particularly given that, you know, we’re not talking here about a government stalking or targeting a terrorist. These engineers are not accused of breaking any law. These are law-abiding people who have mortgages and families and husbands and wives, and they just happen to work for companies that these intelligence agencies, you know, think are fair game. And, you know, I think this article, building on The Intercept’s piece last year about GCHQ’s hacking of Belgacom, Belgium’s largest phone company, is really going to serve as a wake-up call to the entire technical industry, because, you know, in essence now, it seems clear that any engineer at any company that does anything remotely interesting is now fair game for GCHQ and NSA and their other partners.
the phone companies don’t do a very good in securing their communications. The encryption technology that’s built into your phone, the technology that protects your telephone calls and text messages as they go over the air, the encryption was built in the late ’80s and early ’90s. It was—forms of it were broken in the 1990s by graduate students, and we’re still using it today. These carriers are—these large, multibillion-dollar telephone companies are really not that interested in providing a secure method of communication. They’re certainly not interested in designing or deploying methods of communication that our own governments cannot intercept, let alone other governments. And, you know, for more than a hundred years, the U.S. telephone companies have been happily providing wiretapping assistance to law enforcement and intelligence agencies. We should just—we should give up on this idea that AT&T or T-Mobile or Verizon are ever going to deliver truly secure communications to their customers.
You know, in contrast, it really does seem like Silicon Valley companies are much more interested in providing strong, secure communications services, to the extent that their business models permit. And what I mean by that is, you know, at the end of the day, you’re not paying Google for their services, and so they want to read your emails, but a company like Apple, Apple doesn’t make money by selling you email service. They make money by selling you an expensive phone. And as long as you keep buying the phones, Apple makes lots of money. For companies like that, where their business model and your privacy are more aligned, I really do think we can expect that these companies will provide us with much stronger and much more secure methods of communication, particularly given that they’re competing in a global market where, you know, German consumers don’t want a phone that can be easily spied on by the NSA. And so, you know, these tech companies really are having to up their game.
the voice and text message services provided by your wireless carrier, if you’re just sending a text message through your phone or making a telephone call through your phone, those calls can be intercepted by your own government, by police and intelligence agencies. They can be intercepted by foreign governments who are operating domestically. They can be intercepted by sophisticated criminals and by hackers and by stalkers. You should not expect that those kinds of communications services can deliver real security.
On the other hand, there are now a number of apps and Internet-based services that you can run on your smartphone that will give you much, much more secure communications. So, Apple has built iMessage into its iPhone product for several years. If you have an iPhone and you’re sending a text message to someone else who has an iPhone, this is used by default. Those messages are encrypted in a strong way. They’re sent via Apple’s system, and it’s very, very difficult for governments to intercept those. If you’re using WhatsApp, which is a service now owned by Facebook and used by hundreds of millions of people around the world, if you’re using WhatsApp on Android, it’s encrypted, again, in a very strong way. And if you have an Android or iPhone, you can download third-party apps, the best of which are called Signal for iOS and TextSecure, from Android. These are best-of-breed free applications made by top security researchers, and actually subsidized by the State Department and by the U.S. taxpayer. You can download these tools today. You can make encrypted telephone calls. You can send encrypted text messages. You can really up your game and protect your communications.
To be clear, if you are a target of a law enforcement or intelligence agency and they really care about you, they can hack into your phone, and these tools won’t stop that. But you can make it much more difficult. You can make it so that they have to work really hard. And, you know, it’s unfortunate that the phone companies, that AT&T and Verizon haven’t warned their customers. They should be telling the public. They haven’t. But we can do things right now to make wiretapping much more difficult and much more expensive.
the SIM card is sort of like the driver’s license for the phone. The SIM card proves that you have a valid account. That’s, you know, what lets the phone company know who to send the bill to. So, you need a SIM card. You know, think of it this way. When you go to Starbucks, you don’t expect Starbucks to provide you with a secure Internet connection. You expect them to provide you with an Internet connection, and then you bring your own security on top. If you’re using Gmail or Facebook or Twitter, all of those services build their own security in. They don’t rely on the Internet provider to do that for you. By the same token, we should stop relying on the AT&Ts and Verizons of the world to provide security. We should just use them for data, and then we should run secure, encrypted communications apps that go over the data portion of the network. We know how to do this. These apps exist. We can secure our communications. And, you know, it’s been delightful post-Snowden. You know, the journalism community is really starting to take note of this. And I now regularly have encrypted telephone calls with national security reporters around the world. I send encrypted emails with reporters, with lawyers. These tools really are getting to be easy to use, and it’s just—we just need more people to start using them.
if you have an Apple device, you could download—so FaceTime is already installed in your iPhone. It’s built by Apple. It’s built into the iPhone. If you make a FaceTime audio or video call from your iPhone to someone else’s iPhone or iPad, it’s encrypted with very strong technology, and it will be very, very difficult for a government to intercept. If you have an—if you don’t want to use an Apple encryption product, there’s a fantastic app in the app store called Signal. It’s free. It’s open source. It’s very, very good. That makes encrypted telephone calls anywhere in the world for free. Even if you’re not worried about security, it’s actually a way of saving money on your phone bill. And then if you’re using Android, there’s a great app by the same people who do Signal called RedPhone. Again, it’s free. It’s supported by the U.S. government. So you’re paying for it anyway; you might as well use it. And that will also let you make free encrypted telephone calls. These tools work, and they make wiretapping much more expensive, which is what we want. We want governments to have to focus their resources on the people that really matter, the real threats, but they shouldn’t be able to spy on everyone at low cost.
new probe that finds the NSA has embedded spying devices deep inside hard drives in computers around the world. The Russian firm Kaspersky Lab says it uncovered the spyware in personal computers across 30 countries, from Iran to Russia, Pakistan, Libya, China, Belgium, Ecuador and the United States. The targets include government institutions, oil and gas firms, Islamic activists, scholars and the media.
NSA has a multibillion-dollar budget. They hire some of the best and brightest hackers, and they give these really smart people a lot of resources and basically tell them that they can do whatever they want. And, you know, it’s not surprising that a well-resourced team, that is not constrained by the law, can get up to a lot of really interesting and terrifying things. You know, they’ve been given a mandate by their superiors to go out and hack and get access to every system they can, and they’re doing that. You know, in one way, as someone with a technical background, I’m impressed with what they’ve been able to do. But I think, you know, we should all be very scared about what the NSA is doing, the capabilities they have and the extreme lack of effective oversight that’s taking place. For an agency that is engaged in this degree of highly sophisticated technical compromise of computer systems, the extent to which policymakers and agency overseers lack technical competence, I think, should be terrifying. We need to make sure that those in Congress, those in the courts, who are supposed to perform oversight over the NSA, we need to make sure they have technical understanding or technical advisers. And the fact that there’s no technical oversight of these agencies, I think, is one of the reasons why they’ve been able to do as much as they have with as little oversight.
U.S. government isn’t this one machine with one person, you know, dictating all of its policies. You have these different agencies squabbling, sometimes doing contradictory things. The U.S. government, the State Department has spent millions of dollars over the last 10 years to fund the creation and the deployment and improvement to secure communications and secure computing tools that were intended to allow activists in China and Iran to communicate, that are intended to allow journalists to do their thing and spread news about democracy without fear of interception and surveillance by the Chinese and other governments.
the U.S. government hasn’t been writing the software. They’ve been giving grants to highly respected research teams, security researchers and academics, and these tools are about the best that we have. You know, I agree. I think it’s a little bit odd that, you know, the State Department’s funding this, but these tools aren’t getting a lot of funding from other places. And so, as long as the State Department is willing to write them checks, I’m happy that the Tor Project and WhisperSystems and these other organizations are cashing them. They are creating great tools and great technology that can really improve our security. And I hope that they’ll get more money in the future.
we need so much. We need a technically informed FISA court. We need controls over domestic surveillance. But we also need—we need strict oversight and legislative controls over what NSA does abroad, which right now are largely regulated under Executive Order 12333. Most of the scary things that NSA does, it doesn’t have to go the FISA court to get approval for, and I think we really need to rein that in.
— source democracynow.org
Christopher Soghoian, privacy researcher and activist. He is the principal technologist at the American Civil Liberties Union. He is also a visiting fellow at Yale Law School’s Information Society Project.