GCHQ Pilfers Encryption Keys To Cell Phones

February 23, 2015 mitch tanenbaum

We have known for a long time that the encryption on cell phone calls and text messages was relatively weak, but apparently, cracking that was more work than GCHQ, the British version of the NSA, wanted to do.

People have been beating up the NSA for being, well, the NSA. I have said, whether we agree with them or not, they are just doing what they have been told to do and maybe they are a little smarter than some other spy agencies, but they are not doing anything that the other spy agencies are or want to do.

So now it is GCHQ’s turn in the spotlight. Dark Reading is reporting (see article and article) that GCHQ, with NSA’s help, broke into the world’s largest SIM card manufacturer, Gemalto, Gemalto’s cards are used by AT&T, Verizon, Sprint and T-Mobile, as well as bank cards, passports and other identity cards around the world. Just to make sure they weren’t missing anything, they also had a project to break into the cell phone companies and grab their encryption keys as well. The source of this information is … you guessed it … Edward Snowden.

The breaking in to the cell phone companies core networks also allowed them to supress charges that might have raised suspicions and have access to customer data.

Gemalto makes two billion SIM cards a year, all “owned” by GCHQ and the NSA. Along with whoever else they shared this with.

The stolen keys give GCHQ and NSA the ability to read any text message or listen to any phone call without the need to have to crack the crypto involved.

Using very standard phishing attacks, GCHQ planted malware on Gemalto’s network that gave them complete remote access to the network.

Possession of these keys allows the spies to send fake text messages, sign malicious Java apps and set up fake cell towers, along with listening to all phone calls.

One question to ask, of course, is whether GCHQ and NSA are the only organizations who could and did do this – did any hackers do the same thing? The only real answer is who knows, but from what is being reported, this hack did not require James Bond; it is a relatively run of the mill hack of a large organization with typical (i.e. poor) security. In Gemalto’s defense, protecting any large organization from a well designed spear phishing attack is hard.

Having the encryption keys also relieves the spy agencies of the necessity of ask the FISA court, the secret court that the spies go to and ask permission to, well, spy, and ask for a warrant. With warrant in hand they go to the cell phone company and ask for the data. Now they don’t have to bother with that. Convenient.

An interesting thought. If these chips are used in passports and a hacker had done the same thing that Snowden reports GCHQ did, they could creat fake passports for terrorists. They also could create fake chip and pin credit cards or hack real ones.

This is one reason why an enterprise risk assessment is so important. An assessment would identify the company’s crown jewels (in this case, the encryption keys) and try to make that data more resistant to attack.

Now that is is known, it is unclear what the cell phone and identity card companies will do.

What this does point to is that the only encryption that is likely to have any remote chance of being secure is end to end encryption where you manage the keys and no provider has access to the keys. Encryption provided by phone companies, dropbox, Facebook, Google and Microsoft is likely completely compromised. This type of encryption is also the most inconvenient way for users to manage encryption – they would prefer to snap their fingers and have it be secure. While the work of GCHQ and the NSA has privacy concerns, if they could do this, so could the Chinese, Russians and probably at least a large handful of hackers. Among others. THAT is a big concern.

Mitch