The NSA has hacked your phone: What you need to know, and how to protect yourself

Why does the NSA need your phone records
bikeriderlondon/Shutterstock
Each passing leak from former National Security Agency (NSA) contractor Edward Snowden seems to paint a darker picture of the state of privacy and data security in the United States, and the world at large. At this point we’ve heard about mass surveillance of nude Webcam chats, the NSA tapping international leaders’ phones, mass metadata collection, spies pretending to be Facebook to infect computers, and countless other programs. Now, an even more frightening Snowden leak has appeared on the Intercept.

The NSA and GCHQ have had access to the vast majority of cell phone communications around the world since 2010.

The latest report reveals that the NSA and its British counterpart, the Government Communications Headquarters (GCHQ), hacked into one of the largest SIM card manufacturers’ systems to steal the encryption keys used to activate and encrypt communications between an individual’s phone and a mobile carrier’s network. Once the NSA and GCHQ gained access to the encryption keys, the agencies had unlimited access to the voice and data information of any mobile user whose SIM card was included in that specific batch of encryption keys.

Updated on 02-25-2015 by Malarie Gokey: Added statement from Gemalto, acknowledging that its systems were targeted by unknown hackers. The report also denies that the hackers were successful in spying on users through Gemalto’s SIM cards. 

In other words, the NSA and GCHQ have had access to the vast majority of cell phone communications (even encrypted communication) around the world since 2010. They’ve listened to your phone calls; they’ve read your texts; and they’ve almost certainly monitored the websites you’ve visited on your mobile devices.

To make matters worse, the same hacked company that makes SIM cards also makes the chips that are embedded into your next-generation credit cards and next-generation passports.

Here’s everything you need to know about how these agencies pulled off this massive hack without anyone noticing, who they targeted, and how to protect yourself from surveillance.

How does the security of a SIM card work?

Every single text sent, call made, and website accessed on a mobile device is secured via an encrypted connection between the SIM card that’s installed on the device and the wireless carrier’s network. Important information such as your phone number, text messages, and other personal content is often stored on the SIM itself, so that the carrier can identify and distinguish your phone from all the others on its network. The keys for the encryption of all your most personal data are stored on the SIM card itself and given to the wireless network. SIMs play the same function as social security numbers — They identify their users. SIMs were never intended to be used to secure information, but that’s exactly what they have become.

When a SIM card is manufactured, an encryption key called the “Ki,” is burned onto the chip. The SIM card manufacturer gives the same Ki to the wireless network, so they can identify that particular phone. Before the phone can connect to the wireless carrier’s network, it uses the Ki on the SIM to authenticate its identity with the carrier. The phone gives what’s called a “handshake” to confirm that the Ki on the SIM is identical to the one the carrier has on file. Once the Ki have matched up, all communication between the phone and the network is encrypted, including calls, texts, and Internet access.

Supposing the GCHQ or NSA tried to intercept your phone’s signal as it moved through the air, any data the agencies picked up would be encrypted, and therefore useless to them. They’d have to decrypt it, which takes a lot of time and money, making it impossible to surveil on a mass scale. The only way for these agencies to access millions of peoples’ data all at once was to steal the encryption keys to millions of SIM cards, and that’s just what the NSA and GCHQ did.

How did the NSA and GCHQ intercept the encryption keys?

To understand how the NSA and GCHQ intercepted the encryption keys, it’s important to understand who provides and encrypts the SIM cards in the first place.

The U.S. and U.K. governments stole the encryption keys from the company that makes around 2 billion SIM cards a year.

Gemalto is one of the largest SIM card providers in the world. The company is based in the Netherlands and produces the SIM cards placed in mobile phones and next-generation credit cards from Visa, MasterCard, American Express, JP Morgan, Chase, and Barclays. Its technology is also used to secure mobile payments made using Softcard, the mobile wallet app formerly known as ISIS. Gemalto even has a deal with the U.S. government to make chips for passports, as well. It provides SIM cards to AT&T, T-Mobile, Verizon, Sprint, and 450 other carriers around the world. Vodafone, Orange, Royal KPN, China Unicom, NTT, and Chungwa also use its SIM cards. The company makes around 2 billion SIM cards a year.

Gemalto also happens to be the SIM card manufacturer that the NSA and GCHQ hacked.

GCHQ hackers didn’t break into Gemalto in person — They did it remotely remotely through the company’s computer network to steal the encryption keys for massive numbers of SIM cards all at once, as they were on their way to the carriers. The hackers were able to collect the keys in bulk thanks to the very insecure way Gemalto sent the keys to carriers. Gemalto sent the master key files to carriers over email or through File Transfer Protocol (FTP). Sometimes no encryption was used to protect the keys at all, making them easy pickings for the hackers.

The agencies used the NSA’s X-Keyscore program to access private email and Facebook accounts of engineers, employees of major telecom companies, SIM card manufacturers, and people from Yahoo and Google in search of the keys. Specific companies and employees were targeted, based on how many keys they could provide. By 2010, the GCHQ had figured out a way to maximize the number of keys stolen in one shot to frightening levels. It all escalated very quickly.

“In one two-week period, the team accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization. This operation produced nearly 8,000 keys matched to specific phones in 10 countries,” the Intercept writes. “In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they’d compiled 300,000 … A top-secret NSA document asserted that, as of 2009, the U.S. spy agency already had the capacity to process between 12 and 22 million keys per second for later use against surveillance targets.”

Privacy and security experts told the Intercept that stealing these SIM card encryption keys is “tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment.”

Christopher Soghoian, the principal technologist for the American Civil Liberties Union, explained that not only can the agencies use the keys to access future communications, they can look back at older ones, too.

“Key theft enables the bulk, low-risk surveillance of encrypted communications,” Soghoian said. “Agencies can collect all the communications and then look through them later. With the keys, they can decrypt whatever they want, whenever they want. It’s like a time machine, enabling the surveillance of communications that occurred before someone was even a target.”

For its own part, Gemalto is investigating the claims and is severely disturbed by the idea that its secure technology is being used to spy on innocent people. The company issued a statement on its website, which says. “We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques. ”

What does the SIM card maker say about the hack?

SIM card maker Gemalto is currently investigating the hack, but it says the preliminary results indicate that its SIM products like banking cards, passports, and “other products” are secure. The company did not initially note whether or not its SIM cards that were built for mobile phones are safe or not. However, its follow up statement on February 25 confirms that although hackers targeted its system aggressively during the dates mentioned in the Snowden leaks, the hackers were not successful in their attempts to infiltrate Gemalto’s SIM cards. As such, the SIM card maker claims that the NSA and GCHQ cannot spy on users’ communications through the Gemalto SIM cards on their phones.

The company referred to two specific attacks on its network:

  • June 2010: Found evidence that a third party was trying to spy on the office network of one of the company’s French sites. The office network is typically used by employees to communicate with each other and people outside of the company. Gemalto took action to stop the spying quickly.
  • July 2010: Hackers sent emails to one of Gemalto’s mobile operator customers using fake Gemalto email addresses, pretending to be employees of the SIM card maker. The fake emails came with an attachment that could download malicious code. Gemalto told its customer of the attack and alerted the authorities, as well.
  • 2010: Gemalto discovered several attempts to access its employees’ PCs, especially those who often spoke with customers like mobile service providers and so on.

“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation,” Gemalto stated. “These intrusions only affected the outer parts of our networks — our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”

In conclusion, Gemalto believes that although its network was definitely targeted and even infiltrated to some extent, its SIM cards are safe and no encryption keys were stolen by either agency. The company stated that it had already enacted stronger security measures to protect its networks — especially those in Pakistan, which were targeted more heavily — before the hacks even occurred.

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network,” Gemalto said in a statement. “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

Gemalto explained that while SIM cards used on 2G networks could easily be hacked, those of 3G and 4G networks could not have been infiltrated. As such, the NSA and GCHQ’s main targets in Africa, the Middle East, and parts of Asia may have been spied on via their SIM cards, assuming they were on 2G networks. Meanwhile, the U.S. and Europe, which mainly use 3G or 4G networks, would have been safe.

“If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications. Therefore, 3G and 4G cards could not be affected by the described attack,” Gemalto stated. “However, though backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone.”

Additionally, Gemalto says it never sold SIM cards to four of the 12 carriers listed in the leaked documents, one of which was the Somali carrier that reportedly had 300,000 keys stolen. The SIM card maker also didn’t have SIM card personalization centers in Japan, Colombia, and Italy. during the time of the hacks. To further reassure its customers and mobile users around the world, Gemalto reiterated the security standards its SIM cards are expected to meet and stated that third-party security experts even vet its products before they reach customers.

You can read the company’s full report on its website.

Smart Home

Walmart slashes prices on Google Home during its Presidents’ Day sale

Walmart slashes prices on Google Home during its Presidents' Day sale. Whether you're taking your first step in configuring a smart home or expanding to every room, Walmart has excellent sale prices for all the key components.
Gaming

These are the best weapons for taking down mutants and bandits in Metro Exodus

Metro Exodus is a very difficult game, and choosing the right weapons is key for surviving the post-apocalyptic Russia that 4A Games has created. These are the best weapons in Metro Exodus.
Computing

Lose the key for your favorite software? These handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.
Computing

File Transfer Protocol explained: What FTP is and what it does

FTP stands for "File Transfer Protocol," and it's used to transfer files online. Most internet users don't need it, but web developers use it constantly. Here's what FTP is, how it works, and how you can get started using it.
Mobile

Worried about extra data charges? Here's how to check your usage on an iPhone

It's common to get a little nervous about nearing data limits. Keep your peace of mind by checking how much data your iPhone is using. Our guide on how to check data usage on an iPhone helps you stay in control.
Mobile

North Focals smartglasses discount cuts the price by a massive $400

Canadian startup North is hoping smartglasses will be the next big wearable. After announcing its new Focals smartglasses in late 2018, the company opened product showrooms in Brooklyn and Toronto and has made its first shipment.
Mobile

Exclusive: Take a look at what a next-generation 5G phone will look like

With 5G phones debuting at MWC in mere days, there is discussion about whether they will be clunky bricks that die after a few hours? A reference design from Qualcomm offerrs a glimpse of the future: This is what 5G phones will look like.
Mobile

New Apple patent hints clamshell-style foldable phone may be in the works

Apple has filed a patent for a foldable phone that suggests the company could be following in the footsteps of the likes of Samsung and Huawei. The patent describes a clamshell-style foldable phone with two separate sections.
Mobile

Xiaomi Mi 9 will be one of the first phones with monster Snapdragon 855 chip

Xiaomi's next major smartphone release will be the Mi 9, and the company hasn't held back in giving us a good look at the phone, revealing the design, the camera, and a stunning color.
Wearables

Galaxy Watch Active isn't official yet, but you can see it in Samsung's own app

Samsung may be about to resurrect its Sport line of smartwatches under a new name: The Galaxy Watch Sport Active. Leaks and rumors are building our picture of the device at the moment.
Mobile

Stop buying old tablets, says Samsung, buy the new Galaxy Tab S5e instead

Samsung has launched the Galaxy Tab S5e -- the E is for Essential -- a reasonably priced tablet that includes many of the features we like from the Tab A 10.5, and the Tab S4. Here's what you need to know.
Mobile

Bag yourself a bargain with the best budget tablets under $200

The battle for your budget tablet affections is really ramping up. Which tablet, costing less than $200, should be commanding your attention? We take a look at some different options for the budget-conscious.
Computing

What is Wi-Fi 6? Here's a look at the next evolution of the wireless standard

We're exploring the new naming convention for wireless standards, how it affects the devices you buy, and what the upcoming Wi-Fi generation is changing for the better.
Home Theater

Samsung accidentally leaks its new Galaxy Buds ahead of launch

It's been all but certain that Samsung would launch a successor to its Gear IconX wireless earbuds soon, but a newly leaked photo and recent FCC certification document seems to indicate that the debut is very close.
1 of 2