SIM-ply irresistible: NSA and GCHQ accused of massive mobile hack


We’re fanatical about your privacy and security.

How secure is your phone? Most users are now mindful of risks like insecure networks, malicious apps and fraudulent emails, but according to NSA whistleblower Edward Snowden, these attempts at privacy may be too little, too late. According to TIME magazine, some of Snowden’s leaked documents describe a joint venture between the National Security Agency (NSA) and Britain’s Government Communications Headquarters (GCHQ) to compromise a basic component of mobile phones: The SIM card. Here’s what you need to know.

Truth from Fiction

The facts so far? That SIM manufacturer Gemalto experienced several network attacks between 2010 and 2011, the period described in the Snowden documents. The company acknowledges that outside actors attempted to spy on internal networks, send spoofed emails to Gemalto customers using seemingly-legitimate corporate addresses and access the PCs of front-line employees. This is more than a little worrisome, since Gemalto is the single largest manufacturer of SIM cards in the world, supplying more than 450 operators.

But the company denies that any SIM card encryption keys were stolen, which is a very different story than Snowden’s. In that version, efforts by the NSA and GCHQ yielded access to a veritable treasure trove of SIM card data, allowing the spy agencies to eavesdrop on voice calls from users worldwide. It’s a fine line to walk, with Gemalto tacitly agreeing to the notion that nation-states could be responsible for the attacks while simultaneously trying to reassure worried customers.

To back up claims that the Snowden documents aren’t entirely accurate Gemalto points to several inconsistencies, such as the fact that implicated SIM card factories in Japan, Columbia and Italy were non-operational at the time. In addition Gemalto claims it relies on multiple isolated networks, many of which have never been compromised. Nonetheless, other SIM manufacturers such as Giesecke and Devrient are now taking a hard look at their IT infrastructure to determine if similar attacks were attempted.

Stranger Danger

Could the NSA and GCHQ have hacked your SIM card? Absolutely. Did they? It’s hard to say. The NSA specifically has been taken to task in the last few years for a number of shady dealings, including recent reports that an NSA-funded hacker group called “Equation” has been infecting computer firmware for years in an attempt to collect data about American citizens. The agency has consistently denied these claims while simultaneously talking up the risk of widespread cyber-attacks.

In a recent Washington Times article, for example, NSA director Admiral Mike Rogers argues that “it’s only a matter of time until we see destructive offensive actions taken against critical U.S. Infrastructure.” While he declined to compare the relative cyber readiness of the United States as compared to other nations, Adm. Rogers did note that “we’re talking about defending an infrastructure where [cyber] redundancy and resiliency were never designed. Most of it was created at a time when there was no cyber threat.” What does this mean for the NSA? That they see the nation as under-equipped to deal with potential threats — small wonder, then, that they’re looking for any advantage, any avenue to say current or get ahead. And the result? It could be anything that gives them a leg up: A compromised SIM card, desktop or network.

Privacy First

Mobile phone users are protective of their privacy. According to Biz Community, users opt for privacy over app functionality, with 40 percent of those asked indicating that lack of trust keeps them from downloading new or unfamiliar applications. What’s more, 72 percent of user are not comfortable sharing information such as their location or address book details. The easiest way to protect mobile privacy? Use a private VPN or similar IP-obscuring service to ensure no malicious actors can spy on your browsing or downloading habits. For something more sinister such as a SIM compromise, however, another option is a “privacy phone”. A recent Tech Crunch article reports that even the mention of privacy phone features such as location blurring prompted massive speculation about a DT/Mozilla partnership to develop this kind of device, despite claims to the contrary. Simply put, consumers have a vested interest in stating anonymous.

Is your SIM card compromised? Maybe. Gemalto says no, Snowden says yes and the NSA is hedging its bets. Encrypted networks can help boost security; private phones take this a step farther. And if you really want to go “off the grid”? Turn off the phone, go outside and don’t look back. Terrifying, right?

Featured image: Viktor Hanacek / picjumbo

ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.