British and American spy agencies allegedly hacked into a Dutch company that makes SIM cards to obtain encryption keys used to shield the cellphone communications of millions of customers around the world, according to a report in the Intercept.
Citing documents obtained by former intelligence contractor Edward Snowden, the online publication reported Thursday that Britain’s GCHQ and the National Security Agency targeted Gemalto, the world’s largest manufacturer of SIM cards.
The multinational firm’s clients include AT&T, T-Mobile, Verizon and Sprint, as well as hundreds of wireless network providers around the world. It produces 2 billion SIM cards a year, the Intercept reported.
The cards, which are chips barely larger than a thumbnail, are inserted into cellphones. Each card stores contacts, text messages, the user’s phone number and an encryption key to keep the data private.
Gemalto produces the SIM cards for cellphone companies, burns an encryption key onto each and sends a copy of the key to the provider so its network can recognize an individual’s phone.
According to the Intercept, GCHQ targeted Gemalto employees, scouring their e-mails to find individuals who might have access to the company’s core networks and systems that generate the encryption keys. The goal, the publication said, was to steal large quantities of keys as they were being transmitted between Gemalto and its wireless network providers.
The NSA did not immediately respond to a request for comment.
Stealing the encryption keys makes it possible to eavesdrop on otherwise-encrypted communications without undertaking the more difficult challenge of cracking the encryption. It also avoids alerting the wireless company or the person using the phone.
The NSA’s interception of phone calls and other content is bound by different legal standards. A warrant is required to target an American’s calls and e-mails. In general, targeting a foreigner’s communications for collection overseas does not require a warrant.
The publication cited one 2010 GCHQ document that said that agency personnel developed “an automated technique with the aim of increasing the volume of keys that can be harvested.”
The document acknowledged that in searching for keys, operatives would harvest “a large number of unrelated items” from targeted employees’ private communications. However, it said, “an analyst with good knowledge of the operators involved can perform this trawl regularly and spot the transfer of large batches” of keys.
The GCHQ documents also described operations targeting other major makers of SIM cards, the Intercept said.