What are carriers doing about the hack?
Although Gemalto claims that there is nothing to worry about, mobile carriers around the world are investigating the security of SIM cards from Gemalto on their own. According to the Daily Mail, Australian carriers Optus and Telstra are already investigating the situation, and may even consider a mass recall of SIM cards from Gemalto if the results hint that its users’ SIM cards are vulnerable. Both carriers said they are in communication with Gemalto and are awaiting further news before taking any drastic steps.
Vodafone, a network that operates in Europe, Africa, Asia, Australia, and elsewhere confirmed that it, too, is investigating the SIM card hack claims. Meanwhile, Japanese carrier NTT DoCoMo’s spokesman Takashi Itou told Reuters that the carrier “will consider any necessary steps based on the results of our investigation,” but didn’t say whether it would issue a recall.
As of yet, no American carrier has commented on the SIM card hack allegations.
Are my phone and credit cards safe?
It’s unclear exactly how many SIM cards the NSA and GCHQ have the encryption keys for. However, based on the staggering number of keys collected in the short span of time documented in Snowden’s leaks, it’s more than likely that many of the phones around the world hold SIM cards that have been infiltrated by these agencies. Of course, unless you’re a lawbreaker or a suspect in some terrible crime, the agencies are probably not actively looking at all your data. That said, they can access it at any time if they have your SIM card’s key, which is incredibly disconcerting.
When it comes to your credit card, it’s unclear whether the NSA or GCHQ will access those keys, or what they will do with them if they did. Theoretically, they could perhaps track your purchase history though them, but nobody knows if they are doing that. The Intercept article and the documents it references don’t mention the implications of the credit card chips provided by Gemalto. However, the passport chips made by Gemalto are not encrypted by Gemalto, but rather by the passport office, so those, at least, might be safe from surveillance.
What can I do to protect myself?
You can always use secure apps for email and messaging that use “Transport Layer Security (TLS), the mechanism underlying the secure HTTPS Web protocol.” Email apps that come standard on Android phones and iPhones support TLS, and so do Yahoo and Google, so if you’re emailing over those apps, you’ll have some degree of protection from SIM-key-enabled surveillance. Messaging apps like TextSecure and Silent Text are also secure for texting, while Signal, RedPhone, and Silent Phone will encrypt your calls.
Of course, if the government identifies you as a target, they can still directly target those communications and work to decrypt your data.
“We need to stop assuming that the phone companies will provide us with a secure method of making calls or exchanging text messages,” says the ACLU’s Soghoian.
Beyond using encrypted apps, you can’t really do much yet, other than email your government representatives and fight to shut down NSA programs like this one and the others revealed by Snowden.
However, there is a lot that companies can do to protect themselves and their users. A new form of encryption called Perfect Forward Security (PFS) was designed specifically to protect users from the worst parts of SIM-key-enabled surveillance. PFS is built into many Web browsers, Google, and Twitter. The system generates a unique encryption key for every call, text, and piece of data. That key is later discarded and not reused. Since the new keys can be created very minute, hour, or day, there’s no backlog of communications for spies to look back on retrospectively. They only gain access to that one kernel of information from that one key.
“Because cellphone communications do not utilize PFS, if an intelligence agency has been “passively” intercepting someone’s communications for a year and later acquires the permanent encryption key, it can go back and decrypt all of those communications,” the Intercept explains, adding that, “If mobile phone networks were using PFS, that would not be possible — even if the permanent keys were later stolen.”
Unfortunately, carriers and other technology companies have yet to adopt this approach. As such, anyone whose SIM encryption key has been stolen is now vulnerable to the NSA and GCHQ’s surveillance.
For more info, check out the Intercept’s article and the documents that accompany it.