US and UK intelligence agencies have allegedly hacked into a major maker of SIM cards, allowing them to eavesdrop on billions of mobile users around the world, a US news website claims.
Gemalto, the Dutch company alleged to have been targeted, said it “cannot at this early stage verify the findings of the publication” but it was taking the allegations “very seriously”.
If confirmed, the ramifications of what is known as mass surveillance would include not only metadata, but also mobile communications as readily available tools for intelligence agencies to use.
The report by The Intercept site, which cites documents from former US intelligence contractor turned whistleblower Edward Snowden, said that “the great SIM heist” gave US and UK spy agencies “the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data”.
The alleged breach on Gemalto indicates that the US National Security Agency (NSA) and UK’s GCHQ had hacked into its systems back in 2010 to steal encryption keys that could unlock the security settings on billions of mobile phones.
Reacting to the revelations Eric King, deputy director of the campaign group Privacy International, said in a statement that “in stealing the SIM card encryption keys of millions of mobile phone users they have shown there are a few lines they aren’t willing to cross.”
A SIM card has a unique encryption key that keeps the communications secure, making it difficult to snoop on conversations. However, by having the encryption key those carrying out the surveillance would be able to decipher previously unintelligible data.
Access to the encryption keys gave the agencies green light to decode the data that passes between mobile phones and cell towers – basically intercepted out of the air. This means they could listen in on phone calls and read texts undetected, without seeking permission from telecoms companies.
The news site said that among Gemalto’s clients are AT&T, T-Mobile, Verizon, Sprint “and some 450 wireless network providers around the world”. The Netherlands-based company operates in 85 countries and has more than 40 manufacturing facilities.
The two intelligence agencies have not made any comments on the allegations.