Are Ting GSM SIM cards affected by NSA/GCHQ breach of SIM manufacturer Gemalto?

Today, in an article titled, "The Great SIM Heist; How Spies Stole the Keys to the Encryption Castle," Jeremy Scahill and and Josh Begley of The Intercept reported that documents leaked by whistleblower Edward Snowden reveal that American and British spies infiltrated Gemalto, the manufacturer of a large portion of the world's SIM cards, and exfiltrated the master keys used to secure GSM mobile phone communications:

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden.

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is "Security to be Free."

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider's network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

Are Ting's GSM SIM X1 cards affected by this breach?

0

Comments

10 comments
  • Gemalto is the primary SIM supplier for both our CDMA and GSM network partners (and, for that matter, a major SIM supplier for every major carrier in North America). Our GSM SIM order was recent, so we're working to find out if Gemalto knew of the breach at that point and had switched keys prior to that batch being generated.  As we're likely but one of hundreds or thousands of their customers asking these same questions, we don't yet know how soon we'll have an answer.

    In any event, the NSA is probably able to listen to your conversations even without the benefit of these keys. There are so many other attack vectors on mobile networks, that this really is the only safe assumption if you are deeply worried about the security of your mobile conversations. It may sound glib, but if you assume they can and govern yourself accordingly then this new revelation will have no additional impact.

    0
    Comment actions Permalink
  • Just adding a tiny bit to what Ross said:

    We support the Electronic Frontier Foundation and we suggest you do too. We feel it's the best place to add your voice to the others that think that spying on people should be the exception and never the rule.

    0
    Comment actions Permalink
  • Ross:  I want Ting, as my mobile network carrier, to be deeply worried about the security of my mobile conversations.

    You may be but one of many customers asking questions of Gemalto today.  You, however, are uniquely situated among mobile carriers to take a public stance on this security breach.  The big ones can't move as fast as you can, and presumably you are not on the take as they undoubtedly are, so you don't risk the repercussions that they do by speaking out against the U.S. and British governments' violations.  You're trying to court a techie crowd, right?  We understand this situation, and we don't like it.  Please, take a stand for us: publicly, loudly, and swiftly.

    The other attack vectors to which you alluded do not involve an adversary gaining access to your hardware supplier in order to discover and exploit the keys needed for the adversary to invade your subscribers' seemingly-encrypted private communications in a completely untraceable manner.

    Regarding "govern yourself accordingly": You're veering very close to the old "if you don't have anything to hide, then you shouldn't worry about your government snooping on your communications" argument.  You are, in effect, suggesting that people refrain from indicating any form of dissent in their personal communications.  This isn't about catching criminals; it's about controlling populations.

    0
    Comment actions Permalink
  • Andrew: Yes, EFF are wonderful.  I work at a desk with an EFF hat on the shelf above me and an EFF poster on the wall next to me.  I'm glad--hand not surprised--that they have support within Ting.

    0
    Comment actions Permalink
  • I support EFF and consider this breach to be unconsionable. This hack has the effect of limiting free speech. I'm of absolutely no risk to anyone and I'm now cautious about what I say on electronic media when communicating one on one. What happened to our constitution?

    0
    Comment actions Permalink
  • Gemalto shared this release yesterday. The incursion is worrisome if for no other reason than it happened. That said, this specific thing is not as worrisome for everyday cell phone users as it first appeared. http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx

    Ting and Tucows as a whole are very concerned about personal privacy. The statement about "govern yourself accordingly" certainly wasn't intended as an "if you have nothing to hide you have nothing to fear" thing. It was short-hand for saying that we should all be concerned that our personal privacy isn't being treated as a priority by government agencies and we have to bear that in mind every day. We will continue to support the EFF in word and deed so they can lead the fight for personal privacy. 

    0
    Comment actions Permalink
  • Andrew:  How much faith do you put in the six-day assessment by people who did not notice their network pwned for five years of a state-sponsored attack on that network?

    NSA and GCHQ are known to be pretty good at their crimes.  Do you suppose maybe their tracks are covered sufficiently to avoid detection not only for the past five years but also for the past six days?  Belgacom took months to recover after GCHQ's attack on them.  These people at Gemalto must be working miracles.

    Are Ting going to make any public statement about the British and American government attacking the security of worldwide mobile phone communications?

    0
    Comment actions Permalink
  • Jeremy Scahill followed up yesterday.

    This morning, the company tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys -- and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.

    Security experts and cryptography specialists immediately challenged Gemalto's claim to have done a "thorough" investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces.

    "Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn't sound like they're on top of things, and it certainly suggests they don't have the in-house capability to detect and thwart sophisticated state-sponsored attacks," says Christopher Soghoian, the chief technologist at the American Civil Liberties Union. He adds that Gemalto remains "a high-profile target for intelligence agencies."

    Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said, "This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all."

    But security and encryption experts told The Intercept that Gemalto's statements about its investigation contained a significant error about cellphone technology. The company also made sweeping, overly-optimistic statements about the security and stability of Gemalto's networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees. "Their ‘investigation' seem to have consisted of asking their security team which attacks they detected over the past few years. That isn't much of an investigation, and it certainly won't reveal successful nation-state attacks," says the ACLU's Soghoian.

    Security expert Ronald Prins, co-founder of the Dutch firm Fox IT, told The Intercept, "A true forensic investigation in such a complex environment is not possible in this time frame."

    "A damage assessment is more what this looks like," he added.

    In a written presentation of its findings, Gemalto claims that "in the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable." Gemalto also referred to its own "custom algorithms" and other, unspecified additional security mechanisms on top of the 3G and 4G standards.

    Green, the Johns Hopkins cryptography specialist, said Gemalto's claims are flatly incorrect.

    "No encryption mechanism stands up to key theft," Green says, "which means Gemalto is either convinced that the additional keys could not also have been stolen or they're saying that their mechanisms have some proprietary ‘secret sauce' and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That's a deeply worrying statement."

    "I think you could make that statement against some gang of Internet hackers," Green adds. "But you don't get to make it against nation state adversaries. It simply doesn't have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption' mechanisms that they don't specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys."

    While Gemalto is clearly trying to calm its investors and customers, security experts say the company's statements appear intended to reassure the public about the company's security rather than to demonstrate that it is taking the breach seriously.

    The documents published by The Intercept relate to hacks done in 2010 and 2011. The idea that spy agencies are no longer targeting the company -- and its competitors -- with more sophisticated intrusions, according to Soghoian, is ridiculous. "Gemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto's security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too," he said.

    0
    Comment actions Permalink
  • Phillip, Andrew: I'm not sure what all the fuss is about. Personally, I've treated cell networks the same as the general Internet—communications are not private|secure at that layer; you need to handle that higher up (with TLS or OTR or…). Even if Ting did take steps to make their network 100% secure, and you were to trust them to do so, as soon as a communication passed through another network, it would no longer be private. You would only have the assurance of privacy when calling or texting another Ting customer.

    Instead…treat all cell networks like the general Internet and govern yourself accordingly, as Ross suggested. Use TLS for most things. Use e.g. TextSecure by Whisper Systems instead of plain SMS. If you want privacy, you should have been doing this already: you don't have to trust Ting and every other provider between you and the people you communicate with.

    0
    Comment actions Permalink
  • All that said, I agree that it would be awesome for Ting to publicly condemn the relevant governments for their breaches of privacy, and take those steps to gain that little bit of security back. And good on them for supporting the EFF!

    0
    Comment actions Permalink

Please sign in to leave a comment.