The NSA has hacked your phone: What you need to know, and how to protect yourself

Why does the NSA need your phone records
bikeriderlondon/Shutterstock
Each passing leak from former National Security Agency (NSA) contractor Edward Snowden seems to paint a darker picture of the state of privacy and data security in the United States, and the world at large. At this point we’ve heard about mass surveillance of nude Webcam chats, the NSA tapping international leaders’ phones, mass metadata collection, spies pretending to be Facebook to infect computers, and countless other programs. Now, an even more frightening Snowden leak has appeared on the Intercept.

The NSA and GCHQ have had access to the vast majority of cell phone communications around the world since 2010.

The latest report reveals that the NSA and its British counterpart, the Government Communications Headquarters (GCHQ), hacked into one of the largest SIM card manufacturers’ systems to steal the encryption keys used to activate and encrypt communications between an individual’s phone and a mobile carrier’s network. Once the NSA and GCHQ gained access to the encryption keys, the agencies had unlimited access to the voice and data information of any mobile user whose SIM card was included in that specific batch of encryption keys.

Updated on 02-25-2015 by Malarie Gokey: Added statement from Gemalto, acknowledging that its systems were targeted by unknown hackers. The report also denies that the hackers were successful in spying on users through Gemalto’s SIM cards. 

In other words, the NSA and GCHQ have had access to the vast majority of cell phone communications (even encrypted communication) around the world since 2010. They’ve listened to your phone calls; they’ve read your texts; and they’ve almost certainly monitored the websites you’ve visited on your mobile devices.

To make matters worse, the same hacked company that makes SIM cards also makes the chips that are embedded into your next-generation credit cards and next-generation passports.

Here’s everything you need to know about how these agencies pulled off this massive hack without anyone noticing, who they targeted, and how to protect yourself from surveillance.

How does the security of a SIM card work?

Every single text sent, call made, and website accessed on a mobile device is secured via an encrypted connection between the SIM card that’s installed on the device and the wireless carrier’s network. Important information such as your phone number, text messages, and other personal content is often stored on the SIM itself, so that the carrier can identify and distinguish your phone from all the others on its network. The keys for the encryption of all your most personal data are stored on the SIM card itself and given to the wireless network. SIMs play the same function as social security numbers — They identify their users. SIMs were never intended to be used to secure information, but that’s exactly what they have become.

When a SIM card is manufactured, an encryption key called the “Ki,” is burned onto the chip. The SIM card manufacturer gives the same Ki to the wireless network, so they can identify that particular phone. Before the phone can connect to the wireless carrier’s network, it uses the Ki on the SIM to authenticate its identity with the carrier. The phone gives what’s called a “handshake” to confirm that the Ki on the SIM is identical to the one the carrier has on file. Once the Ki have matched up, all communication between the phone and the network is encrypted, including calls, texts, and Internet access.

Supposing the GCHQ or NSA tried to intercept your phone’s signal as it moved through the air, any data the agencies picked up would be encrypted, and therefore useless to them. They’d have to decrypt it, which takes a lot of time and money, making it impossible to surveil on a mass scale. The only way for these agencies to access millions of peoples’ data all at once was to steal the encryption keys to millions of SIM cards, and that’s just what the NSA and GCHQ did.

How did the NSA and GCHQ intercept the encryption keys?

To understand how the NSA and GCHQ intercepted the encryption keys, it’s important to understand who provides and encrypts the SIM cards in the first place.

The U.S. and U.K. governments stole the encryption keys from the company that makes around 2 billion SIM cards a year.

Gemalto is one of the largest SIM card providers in the world. The company is based in the Netherlands and produces the SIM cards placed in mobile phones and next-generation credit cards from Visa, MasterCard, American Express, JP Morgan, Chase, and Barclays. Its technology is also used to secure mobile payments made using Softcard, the mobile wallet app formerly known as ISIS. Gemalto even has a deal with the U.S. government to make chips for passports, as well. It provides SIM cards to AT&T, T-Mobile, Verizon, Sprint, and 450 other carriers around the world. Vodafone, Orange, Royal KPN, China Unicom, NTT, and Chungwa also use its SIM cards. The company makes around 2 billion SIM cards a year.

Gemalto also happens to be the SIM card manufacturer that the NSA and GCHQ hacked.

GCHQ hackers didn’t break into Gemalto in person — They did it remotely remotely through the company’s computer network to steal the encryption keys for massive numbers of SIM cards all at once, as they were on their way to the carriers. The hackers were able to collect the keys in bulk thanks to the very insecure way Gemalto sent the keys to carriers. Gemalto sent the master key files to carriers over email or through File Transfer Protocol (FTP). Sometimes no encryption was used to protect the keys at all, making them easy pickings for the hackers.

The agencies used the NSA’s X-Keyscore program to access private email and Facebook accounts of engineers, employees of major telecom companies, SIM card manufacturers, and people from Yahoo and Google in search of the keys. Specific companies and employees were targeted, based on how many keys they could provide. By 2010, the GCHQ had figured out a way to maximize the number of keys stolen in one shot to frightening levels. It all escalated very quickly.

“In one two-week period, the team accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries,” the Intercept writes. “In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they’d compiled 300,000 … A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets.”

Privacy and security experts told the Intercept that stealing these SIM card encryption keys is “tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment.”

Christopher Soghoian, the principal technologist for the American Civil Liberties Union, explained that not only can the agencies use the keys to access future communications, they can look back at older ones, too.

“Key theft enables the bulk, low-risk surveillance of encrypted communications,” Soghoian said. “Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It’s like a time machine, enabling the surveillance of communications that occurred before someone was even a target.”

For its own part, Gemalto is investigating the claims and is severely disturbed by the idea that its secure technology is being used to spy on innocent people. The company issued a statement on its website, which says. “We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques. ”

What does the SIM card maker say about the hack?

SIM card maker Gemalto is currently investigating the hack, but it says the preliminary results indicate that its SIM products like banking cards, passports, and “other products” are secure. The company did not initially note whether or not its SIM cards that were built for mobile phones are safe or not. However, its follow up statement on February 25 confirms that although hackers targeted its system aggressively during the dates mentioned in the Snowden leaks, the hackers were not successful in their attempts to infiltrate Gemalto’s SIM cards. As such, the SIM card maker claims that the NSA and GCHQ cannot spy on users’ communications through the Gemalto SIM cards on their phones.

The company referred to two specific attacks on its network:

  • June 2010: Found evidence that a third party was trying to spy on the office network of one of the company’s French sites. The office network is typically used by employees to communicate with each other and people outside of the company. Gemalto took action to stop the spying quickly.
  • July 2010: Hackers sent emails to one of Gemalto’s mobile operator customers using fake Gemalto email addresses, pretending to be employees of the SIM card maker. The fake emails came with an attachment that could download malicious code. Gemalto told its customer of the attack and alerted the authorities, as well.
  • 2010: Gemalto discovered several attempts to access its employees’ PCs, especially those who often spoke with customers like mobile service providers and so on.

“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” Gemalto stated. “These intrusions only affected the outer parts of our networks — our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”

In conclusion, Gemalto believes that although its network was definitely targeted and even infiltrated to some extent, its SIM cards are safe and no encryption keys were stolen by either agency. The company stated that it had already enacted stronger security measures to protect its networks — especially those in Pakistan, which were targeted more heavily — before the hacks even occurred.

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network,” Gemalto said in a statement. “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

Gemalto explained that while SIM cards used on 2G networks could easily be hacked, those of 3G and 4G networks could not have been infiltrated. As such, the NSA and GCHQ’s main targets in Africa, the Middle East, and parts of Asia may have been spied on via their SIM cards, assuming they were on 2G networks. Meanwhile, the U.S. and Europe, which mainly use 3G or 4G networks, would have been safe.

“If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications. Therefore, 3G and 4G cards could not be affected by the described attack,” Gemalto stated. “However, though backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone.”

Additionally, Gemalto says it never sold SIM cards to four of the 12 carriers listed in the leaked documents, one of which was the Somali carrier that reportedly had 300,000 keys stolen. The SIM card maker also didn’t have SIM card personalization centers in Japan, Colombia, and Italy. during the time of the hacks. To further reassure its customers and mobile users around the world, Gemalto reiterated the security standards its SIM cards are expected to meet and stated that third-party security experts even vet its products before they reach customers.

You can read the company’s full report on its website.

Product Review

What do you do with 187 megapixels? The Lumix S1R is glorious overkill

The Lumix S1R is one of the most capable cameras ever made, from its robust build to extensive feature set. But its key feature, a 187MP high resolution mode, is something few customers will have use for.
Apple

Apple Pay will be available at 70 percent of U.S. retail locations this year

Apple Pay is growing rapidly, so we've built a list of all the vendors, retailers, and companies worldwide that plan to support Apple's burgeoning mobile payment platform or already do.
Mobile

5G's arrival is transforming tech. Here's everything you need to know to keep up

It has been years in the making, but 5G is finally becoming a reality. While 5G coverage is still extremely limited, expect to see it expand in 2019. Not sure what 5G even is? Here's everything you need to know.
Gaming

How to break Posture and deal a Shinobi Deathblow in Sekiro: Shadows Die Twice

Sekiro: Shadows Die Twice is an incredibly difficult game, and managing the Posture system is a key part of improving and tackling the latest From Software title's most challenging sections.
Mobile

Scientists wreck a smartphone in a blender, but not just for fun

It’s oddly mesmerizing to watch a smartphone get torn apart inside a blender. Researchers recently did just that in a bid to find out which materials make up a handset, and also to encourage people to think more about recycling.
Movies & TV

Apple’s next big event is minutes away: Here’s what you can expect

Apple's next big event takes place on March 25 in Cupertino, California. The company is expected to make several announcements related to its services, including Apple TV, so follow our guide to get ready for the big event.
Wearables

This $76,000 Grand Seiko watch has something in common with a plug-in hybrid car

How can a watch that costs $76,000 possibly have anything in a common with any car, let alone a plug-in hybrid? It's all about the complex, technically incredible Spring Drive movement inside this Grand Seiko watch.
Deals

The excellent Apple iPad gets even deeper price cuts on Amazon

The humble iPad from 2018 is still one of the best tablets around -- and a solid choice for most people. Amazon has seen some great price drops for these tablets recently, and now you can own an iPad for even less than before.
Mobile

More than a screenshot: How to record the screen on an Android device

If you've ever want to record video of your Android screen, there are plenty of apps that can help. Here's an easy guide on how to record the screen on an Android device with the right settings and apps.
Apple

Apple March 2019 Event Coverage

Apple’s next event will take place March 25 at the Steve Jobs Theater in Cupertino, California at 10 a.m. PT. We’ve got a handy guide on how to watch, but don’t expect to see any new iPads, iMacs, or AirPods at the show, all of…
Product Review

Want to see how powerful the Snapdragon 855 chip is? Just rev up the Xiaomi Mi 9

How fast do you want to go? If the answer to this is “as fast as possible,” then take a long look at the Xiaomi Mi 9. It’s one of the highest performance smartphones you can buy. It’s a real monster, and we’ve been using it.
Mobile

Apple Card is a credit card you can sign up for and start using with your iPhone

Apple is getting into the credit card business. Apple Card is a credit card you can sign up for directly on your iPhone, and it doesn't have fees. There's a lower interest rate and you can even get Daily Cash from all purchases.
Gaming

Apple Arcade might be the new game subscription service worth signing up for

Apple Arcade will launch this fall bringing a new game-subscription service with cross-platform support for iOS, Mac, and Apple TV. At launch, the service will feature more than 100 exclusive games, with more added to the service regularly.
Mobile

Check out 22 of the best iPhone 7 cases and covers for your shiny new phone

The iPhone 7 might be attractive, but it’s not rugged. To keep your device in pristine condition, you really need to think about proper protection. That's why we've rounded up some of the best iPhone 7 cases and covers available.
1 of 2