Jump to content
The Corroboree
whitewind

SIM cards hacked by NSA, GCHQ

Recommended Posts

http://www.smh.com.au/digital-life/consumer-security/

telcos-face-mass-sim-card-recall-after-spy-agencies-encryption-hack-revealed-20150223-13mecc.html

Telstra, Optus and Vodafone may be forced to order the recall of potentially millions of mobile phone SIM cards after it was revealed that US and British spy agencies stole encryption keys that secured personal information, including calls and texts, on the chips.

Australia's three major telcos confirmed to Fairfax Media on Monday they each sold SIM cards produced by the hacked Dutch company Gemalto, as well as SIMs manufactured by other companies.

None was forthcoming on whether or not they would issue replacement SIMs to customers in the event of them being affected by the hack, pending further advice from Gemalto and authorities as they carried out their investigations.

Telstra, Australia's largest telco provider, said it was "in contact" with Gemalto and would work with the company to address any issues identified.

"Telstra takes customers privacy and security very seriously," a spokesperson said.

"SIM card encryption is just one of multiple ways Telstra secures our network and the communications of our customers."

Optus also said it was waiting on advice from Gemalto.

Neither Telstra, Optus nor Vodafone disclosed what percentage of SIMs they used were manufactured by Gemalto, however Gemalto is the largest SIM card manufacturer in the world and Telstra said it was a "significant" supplier.

There were 20.6 million mobile phone handset subscribers in Australia as at June 30, 2014, according to the Australian Bureau of Statistics, and while not all of these would use Gemalto SIMs, the problem ostensibly extends worldwide, with some 450 telco providers across the globe, including AT&T and Verizon in the US, sourcing SIMs from Gemalto, according to The Intercept.

On Friday, the online publication, which is dedicated to reporting on documents leaked by former National Security Administration (NSA) whistleblower Edward Snowden, published claims that the NSA, along with Britain's Government Communication Headquarters (GCHQ), hacked into Gemalto's IT systems to obtain the encryption keys of SIM cards it manufactured, giving them access to personal content stored on SIMs, such as data, text and even listening in on phone calls.

"It enables them to bypass wiretapping restrictions, it doesn't require any special tool, you don't have to be very sophisticated to go through this decryption," Linus Information Security Solutions director Mike Thompson told Fairfax.

Mr Thompson said the alleged actions by the NSA and GCHQ were likely to be targeted towards specific individuals, but described the approach as "using the sledgehammer to crack the nut", with "the potential to be really insidious in terms of its pervasiveness".

Because of the type of encryption Gemalto used, the only way for telcos to ensure their customers' phones were not compromised was to disable and replace affected SIMs, he said.

"They're implementing a simple key exchange facility, where you store the secret key on the SIM card and the telco has a copy of secret key, and that's all used to facilitate exchange and then transmissions will commence," Mr Thompson said.

"It relies on both the telco and the SIM manufacturer keeping that secret - the moment the key is compromised that SIM is permanently compromised."

Mr Thompson said the overall financial fallout for telcos if they had to replace SIMs would be "horrific" and that they would likely be "extremely reluctant" to do so.

Gemalto said in a statement it was taking the claims "very seriously" and would "devote all resources necessary to fully investigate" them.

If telcos do decide to recall SIM cards or offer replacements, the scheme will be similar to what security company RSA offered when its security tokens became compromised in 2011.

  • Like 1

Share this post


Link to post
Share on other sites

"Telstra takes customer's privacy and security very seriously..." :huh:

BAHAHAHAHAHAHAHAHAHhaha...ha...sniff! :lol:

So funny.

  • Like 3

Share this post


Link to post
Share on other sites

The really sad part is they have all this surveillance and yet they still didn't ping the guy before the Lindt cafe...

Share this post


Link to post
Share on other sites

^^^ Or they knew damn well and used it as a reminder for us all to be afraid *eyeroll*

What a fucking joke. Two people (sorry three to count the attacker) died in that siege, didn't one of them have a heart attack? Either way, two people. Yet eight were killed in Cairns by a mother with a mental illness... a sector which the government continually pulls funding on. There is no need to play conspiracy theorist on this; it's simple facts that a happy society doesn't make enough money for the ones who run this world.

  • Like 2

Share this post


Link to post
Share on other sites

http://www.smh.com.au/digital-life/consumer-security/

telcos-face-mass-sim-card-recall-after-spy-agencies-encryption-hack-revealed-20150223-13mecc.html

"Gemalto Execs reading the news about their hacking by GCHQ and NSA":

Hz5tGvO.gif

(from DevOps Reactions)

If you think that's bad, this'll really bake your noodle: the NSA is suspected of embedding spy software in the firmware of major hard-drive brands, like Western Digital, Seagate and Toshiba.

Between that and phone call spying alone, there's not much digital privacy left!

  • Like 1

Share this post


Link to post
Share on other sites
If you think that's bad, this'll really bake your noodle: the NSA is suspected of embedding spy software in the firmware of major hard-drive brands, like Western Digital, Seagate and Toshiba.

Between that and phone call spying alone, there's not much digital privacy left!

That Kaspersky report didn't surprise me after having seen this a few months ago:

http://bofh.nikhef.nl/events/OHM/video/d2-t1-13-20130801-2300-hard_disks_more_than_just_block_devices-sprite_tm.m4v

http://spritesmods.com/?art=hddhack&page=1

I thought if one guy can reverse engineer hard drive firmware and insert a backdoor, imagine what the NSA are capable of.. After seeing that, I've been wanting to get back into embedded systems and reverse engineering a bit.. I might have to look at a JTAG debugger.

Share this post


Link to post
Share on other sites

^^^ Or they knew damn well and used it as a reminder for us all to be afraid *eyeroll*

What a fucking joke. Two people (sorry three to count the attacker) died in that siege, didn't one of them have a heart attack? Either way, two people. Yet eight were killed in Cairns by a mother with a mental illness... a sector which the government continually pulls funding on. There is no need to play conspiracy theorist on this; it's simple facts that a happy society doesn't make enough money for the ones who run this world.

Yeah, 12 people being held hostage by a gunman is just another day in the US. Yet CNN covered it from start to finish, barely even reporting any other news stories. Even as a gun nut was holding 4 people hostage in there own country, funny that.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×