One of the “biggest Snowden stories yet” has arrived today, according to journalist Glenn Greenwald.
Spies from the United States’ National Security Agency (NSA) and the United Kingdom's Government Communication Headquarters (GCHQ) “hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe.” The information was obtained from top-secret documents leaked by Edward Snowden.
So what, exactly, did the spy agencies do? According to journalist Jeremy Scahill (who also works for The Intercept with Greenwald):
The NSA & GCHQ covertly stole millions of encryption keys used to protect your mobile phone communications: http://t.co/dVjLuxl4k3
— jeremy scahill (@jeremyscahill) February 19, 2015
Encryption keys are what keep encrypted communications private to third parties, such as governments. In the case of mobile technology, the key is stored in the SIM card [pdf], and the mobile carrier also holds a copy.
Communications are encrypted between the carrier and the phone only, meaning that the mobile carrier can use their key to access your data. Typically, a mobile carrier would only hand over the key if compelled to do so by law enforcement. Therefore, by hacking into the network of Gemalto, the world's largest SIM card manufacturer, the spy agencies are able to bypass the rule of law and gain access to the SIM encryption keys of potentially billions of mobile phone users, allowing them to decrypt phone calls, text messages, and other traffic.*
On Twitter, many readers seemed unsurprised by the latest news, considering all of the leaks that came before it.
@AnonyOps questioned the efficacy of the hack, asking:
It must be asked again, now that we know GCHQ/NSA have basically pwned everything: Why do we still have crime? How is ISIS even a thing?
— Anonymous (@AnonyOps) February 20, 2015
Privacy International's Eric King joked:
Who thinks it's a good idea to give Cameron a “golden key”, now we've learned spies have been able to steal millions of them in the past.
— Eric King (@e3i5) February 20, 2015
Another important question raised by the story is who is affected by the breach. As The Intercept points out, Gemalto's clients include US mobile carriers AT&T, T-Mobile, Verizon, and Sprint, as well as 450 wireless network providers around the world.
“The company operates in 85 countries and has more than 40 manufacturing facilities,” they report. The piece also mentions Vodafone (Europe), Orange (France), EE (Europe), Royal KPN (the Netherlands), China Unicom, NTT (Japan), and Chungwa Telecom (Taiwan), as well as “scores of wireless network providers throughout Africa and the Middle East.” A look at Gemalto's website also unearths China Mobile and South Africa's MTN as partners; the company's Wikipedia page shows telecom clients in Turkey and Italy, as well.
Some readers expressed anger at the two countries for their seemingly endless spying.
Claudio Guarnieri, an Italian malware expert, tweeted:
United Kingdom is a European Union member state. It's time the Commission sanctions the British for #GCHQ hacking of other member states.
— Claudio (@botherder) February 20, 2015
Maher Arar, a Syrian-Canadian who was once renditioned by the US to Syria and reportedly tortured while in custody, wrote:
Obama isn't at war w/ Islam but the target of the NSA malware in the US & UK were all Islamic activists & scholars: http://t.co/eSypJtGYKe
— Maher Arar (@ArarMaher) February 19, 2015
Gemalto, the company at the center of the story, has not yet responded publicly, but a video from the manufacturer shows its good intentions:
*It's worth noting that this does not allow NSA and GHCQ to access calls, messages, and other communications that are encrypted by other, additional means, such as tools like RedPhone or ChatSecure. For more information on mobile security, check out Surveillance Self-Defense or Security in a Box.