The NSA has hacked your phone: What you need to know, and how to protect yourself

Why does the NSA need your phone records
Each passing leak from former National Security Agency (NSA) contractor Edward Snowden seems to paint a darker picture of the state of privacy and data security in the United States, and the world at large. At this point we’ve heard about mass surveillance of nude Webcam chats, the NSA tapping international leaders’ phones, mass metadata collection, spies pretending to be Facebook to infect computers, and countless other programs. Now, an even more frightening Snowden leak has appeared on the Intercept.

The NSA and GCHQ have had access to the vast majority of cell phone communications around the world since 2010.

The latest report reveals that the NSA and its British counterpart, the Government Communications Headquarters (GCHQ), hacked into one of the largest SIM card manufacturers’ systems to steal the encryption keys used to activate and encrypt communications between an individual’s phone and a mobile carrier’s network. Once the NSA and GCHQ gained access to the encryption keys, the agencies had unlimited access to the voice and data information of any mobile user whose SIM card was included in that specific batch of encryption keys.

Updated on 02-25-2015 by Malarie Gokey: Added statement from Gemalto, acknowledging that its systems were targeted by unknown hackers. The report also denies that the hackers were successful in spying on users through Gemalto’s SIM cards. 

In other words, the NSA and GCHQ have had access to the vast majority of cell phone communications (even encrypted communication) around the world since 2010. They’ve listened to your phone calls; they’ve read your texts; and they’ve almost certainly monitored the websites you’ve visited on your mobile devices.

To make matters worse, the same hacked company that makes SIM cards also makes the chips that are embedded into your next-generation credit cards and next-generation passports.

Here’s everything you need to know about how these agencies pulled off this massive hack without anyone noticing, who they targeted, and how to protect yourself from surveillance.

How does the security of a SIM card work?

Every single text sent, call made, and website accessed on a mobile device is secured via an encrypted connection between the SIM card that’s installed on the device and the wireless carrier’s network. Important information such as your phone number, text messages, and other personal content is often stored on the SIM itself, so that the carrier can identify and distinguish your phone from all the others on its network. The keys for the encryption of all your most personal data are stored on the SIM card itself and given to the wireless network. SIMs play the same function as social security numbers — They identify their users. SIMs were never intended to be used to secure information, but that’s exactly what they have become.

When a SIM card is manufactured, an encryption key called the “Ki,” is burned onto the chip. The SIM card manufacturer gives the same Ki to the wireless network, so they can identify that particular phone. Before the phone can connect to the wireless carrier’s network, it uses the Ki on the SIM to authenticate its identity with the carrier. The phone gives what’s called a “handshake” to confirm that the Ki on the SIM is identical to the one the carrier has on file. Once the Ki have matched up, all communication between the phone and the network is encrypted, including calls, texts, and Internet access.

Supposing the GCHQ or NSA tried to intercept your phone’s signal as it moved through the air, any data the agencies picked up would be encrypted, and therefore useless to them. They’d have to decrypt it, which takes a lot of time and money, making it impossible to surveil on a mass scale. The only way for these agencies to access millions of peoples’ data all at once was to steal the encryption keys to millions of SIM cards, and that’s just what the NSA and GCHQ did.

How did the NSA and GCHQ intercept the encryption keys?

To understand how the NSA and GCHQ intercepted the encryption keys, it’s important to understand who provides and encrypts the SIM cards in the first place.

The U.S. and U.K. governments stole the encryption keys from the company that makes around 2 billion SIM cards a year.

Gemalto is one of the largest SIM card providers in the world. The company is based in the Netherlands and produces the SIM cards placed in mobile phones and next-generation credit cards from Visa, MasterCard, American Express, JP Morgan, Chase, and Barclays. Its technology is also used to secure mobile payments made using Softcard, the mobile wallet app formerly known as ISIS. Gemalto even has a deal with the U.S. government to make chips for passports, as well. It provides SIM cards to AT&T, T-Mobile, Verizon, Sprint, and 450 other carriers around the world. Vodafone, Orange, Royal KPN, China Unicom, NTT, and Chungwa also use its SIM cards. The company makes around 2 billion SIM cards a year.

Gemalto also happens to be the SIM card manufacturer that the NSA and GCHQ hacked.

GCHQ hackers didn’t break into Gemalto in person — They did it remotely remotely through the company’s computer network to steal the encryption keys for massive numbers of SIM cards all at once, as they were on their way to the carriers. The hackers were able to collect the keys in bulk thanks to the very insecure way Gemalto sent the keys to carriers. Gemalto sent the master key files to carriers over email or through File Transfer Protocol (FTP). Sometimes no encryption was used to protect the keys at all, making them easy pickings for the hackers.

The agencies used the NSA’s X-Keyscore program to access private email and Facebook accounts of engineers, employees of major telecom companies, SIM card manufacturers, and people from Yahoo and Google in search of the keys. Specific companies and employees were targeted, based on how many keys they could provide. By 2010, the GCHQ had figured out a way to maximize the number of keys stolen in one shot to frightening levels. It all escalated very quickly.

“In one two-week period, the team accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries,” the Intercept writes. “In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they’d compiled 300,000 … A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets.”

Privacy and security experts told the Intercept that stealing these SIM card encryption keys is “tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment.”

Christopher Soghoian, the principal technologist for the American Civil Liberties Union, explained that not only can the agencies use the keys to access future communications, they can look back at older ones, too.

“Key theft enables the bulk, low-risk surveillance of encrypted communications,” Soghoian said. “Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It’s like a time machine, enabling the surveillance of communications that occurred before someone was even a target.”

For its own part, Gemalto is investigating the claims and is severely disturbed by the idea that its secure technology is being used to spy on innocent people. The company issued a statement on its website, which says. “We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques. ”

What does the SIM card maker say about the hack?

SIM card maker Gemalto is currently investigating the hack, but it says the preliminary results indicate that its SIM products like banking cards, passports, and “other products” are secure. The company did not initially note whether or not its SIM cards that were built for mobile phones are safe or not. However, its follow up statement on February 25 confirms that although hackers targeted its system aggressively during the dates mentioned in the Snowden leaks, the hackers were not successful in their attempts to infiltrate Gemalto’s SIM cards. As such, the SIM card maker claims that the NSA and GCHQ cannot spy on users’ communications through the Gemalto SIM cards on their phones.

The company referred to two specific attacks on its network:

  • June 2010: Found evidence that a third party was trying to spy on the office network of one of the company’s French sites. The office network is typically used by employees to communicate with each other and people outside of the company. Gemalto took action to stop the spying quickly.
  • July 2010: Hackers sent emails to one of Gemalto’s mobile operator customers using fake Gemalto email addresses, pretending to be employees of the SIM card maker. The fake emails came with an attachment that could download malicious code. Gemalto told its customer of the attack and alerted the authorities, as well.
  • 2010: Gemalto discovered several attempts to access its employees’ PCs, especially those who often spoke with customers like mobile service providers and so on.

“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” Gemalto stated. “These intrusions only affected the outer parts of our networks — our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”

In conclusion, Gemalto believes that although its network was definitely targeted and even infiltrated to some extent, its SIM cards are safe and no encryption keys were stolen by either agency. The company stated that it had already enacted stronger security measures to protect its networks — especially those in Pakistan, which were targeted more heavily — before the hacks even occurred.

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network,” Gemalto said in a statement. “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

Gemalto explained that while SIM cards used on 2G networks could easily be hacked, those of 3G and 4G networks could not have been infiltrated. As such, the NSA and GCHQ’s main targets in Africa, the Middle East, and parts of Asia may have been spied on via their SIM cards, assuming they were on 2G networks. Meanwhile, the U.S. and Europe, which mainly use 3G or 4G networks, would have been safe.

“If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications. Therefore, 3G and 4G cards could not be affected by the described attack,” Gemalto stated. “However, though backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone.”

Additionally, Gemalto says it never sold SIM cards to four of the 12 carriers listed in the leaked documents, one of which was the Somali carrier that reportedly had 300,000 keys stolen. The SIM card maker also didn’t have SIM card personalization centers in Japan, Colombia, and Italy. during the time of the hacks. To further reassure its customers and mobile users around the world, Gemalto reiterated the security standards its SIM cards are expected to meet and stated that third-party security experts even vet its products before they reach customers.

You can read the company’s full report on its website.

Emerging Tech

Virgin Galactic completes another test flight, this time with a passenger

Virgin Galactic chief astronaut instructor Beth Moses rode the company's spacecraft as a passenger on Friday, a key milestone toward commercial availability of the flights later this year. Moses rode along to test "cabin design elements."
Movies & TV

ESPN Plus is a great sports companion. Here's everything you need to know

ESPN's streaming service, ESPN Plus, arrived in 2018. Despite appearances, ESPN Plus isn't a replacement for your ESPN cable channels, and it differs from other streaming apps in a few key ways. We answer all your questions in this guide.

Marriott asking guests for data to see if they were victims of the Starwood hack

Marriott has created an online form to help you find out if your data was stolen in the massive Starwood hack that came to light toward the end of 2018. But take note, it requires you to submit a bunch of personal details.

Razer Game Store to shut down at end of February, less than a year after opening

The Razer Game Store will shut down on February 28, less than a year after it opened. Games purchased from the digital store will continue to work, but purchased keys will need to be used before its closure.

Protect your iPhone or iPad with the IPVanish VPN, on sale through February

One of our favorite virtual private networks for iPhones and iPads, IPVanish, is now offering a huge discount on its two-year subscription as part of its 7th-birthday promotion. Read on to find out more about how this VPN works and how you…

Verizon is launching real standards-based 5G in 30 cities in 2019

Verizon is in the midst of a massive 5G rollout. In addition to fixed 5G service, it will also begin deploying mobile 5G in the coming months. Here's everything you need to know about Verizon's 5G network and when it will be in your town.

Samsung’s wide range of Galaxy products means there’s something for everyone

Samsung launched a host of new products on February 20, with prices ranging from just $35, all the way up to nearly $2,000. This was not by chance, and the company believes it has something for everyone in 2019.

Stay fit and save cash with our top 10 affordable Fitbit alternatives

As much as we love Fitbits, they're rather expensive. If all you want is a simple activity tracker, however, then check out these great cheap Fitbit alternatives. With offerings from brands like Garmin, you don't need to pay full price.

Samsung Galaxy S10e vs. OnePlus 6T: Can the Flagship Killer survive?

The Samsung Galaxy S10e is the new affordable flagship on the block, but at $750, it's $200 more than the OnePlus 6T. Does the Flagship Killer stand a chance against the new generation of flagship devices? Let's take a closer look.

Make some time for the best smartwatch deals for February 2019

Smartwatches make your life easier by sending alerts right on your wrist. Many also provide fitness-tracking features. So if you're ready to take the plunge into wearables and want to save money, read on for the best smartwatch deals.
Product Review

Samsung’s Galaxy Buds are a brilliant combination of value and comfort

With six hours of battery life, an extremely comfortable fit, sweatproofing, and a very palatable price tag, Samsung’s Galaxy Buds are putting all other true wireless earbuds on notice.

Amazon drops a sweet deal on the Kate Spade Scallop smartwatch for women

Unlike many other smartwatches geared toward women, the Kate Spade Scallop offers a more chic and minimalistic look. With this Amazon sale going on right now, you can get it for $109 off its retail price.

Lyft’s Shared Saver service offers cheaper rides, but you’ll have to walk a little

Lyft has launched a new ride option called Shared Saver that offers cheaper rides if you're willing to walk a little. Shared Saver designates a nearby pick-up point and drops you off a short distance from your final destination.

The 5 best Apple AirPods alternatives for Android, Windows, and iOS devices

Apple AirPods, nice as they are, aren't the only game in town. Other makers are offering their own truly wireless earbuds, and if you're looking to buy a pair of high-end in-ear headphones, we've got the best AirPod alternatives on the…
1 of 2