The newest leak from Edward Snowden may be coming at a terrible time for the Obama White House but it’s not particularly shocking news to security experts.
The Intercept‘s report about the “Great SIM Heist” reveals American and British spies stole the keys that are “used to protect the privacy of cellphone communications across the globe” from Gemalto, the world’s largest manufacturer of SIM cards.
It goes on to report that “With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,” which sidesteps the needs for legal warrants that should be the foundation of ethical law enforcement.
While this is certainly troubling and speaks to the agencies wanton regard for privacy and some amateurish procedures being used to transport keys, it likely won’t alter the security landscape much.
“Nobody in their right minds would assume GSM [Global System for Mobile Communications —the digital cellular network used by mobile phones] to be private in the first place,” he said. “Phone networks have never been really designed with privacy in mind.”
Mobile operators are much more concerned with being able to prevent their customers from avoiding billing.
While a scope of such a breach does seem huge, Jarno points we’re not sure how many of the billions of cards manufactured by Gemalto may be affected. Keys sent to and from operators via without encryption in email or via FTP servers that were not properly secured are almost certainly compromised.
But according to The Intercept, GCHQ also penetrated “authentication servers,” which allow it to “decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network” regardless who made the cards.
With the cracked keys, users’ calls would be vulnerable but likely only in a limited manner.
“I am told that these keys only expose the encryption and authentication between the mobile device and the local cell tower,” F-Secure Security Advisor David Perry explained. “This means that the NSA or (whoever else) would have to be locally located within radio range of your phone.”
So could the NSA or GCHQ be listening to your calls without a warrant? Maybe. Here’s what you can do about it.
Add a layer of encryption of your own to any device you use to communicate. A VPN like our Freedome will protect your data traffic.
This would not, however, protect your voice calls.
[Image by Julian Carvajal | Flickr]
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
August 16, 2018