On Thursday last week, The Intercept published its latest exclusive courtesy of NSA whistleblower Edward Snowden.
According to the report, intelligence agencies in the United States and Great Britain joined forces to hack Gemalto, a company which manufactures billions of SIM cards every year, and stole encryption keys used to protect the privacy of communications around the world.
Gemalto’s customers include 450 mobile telecom operators globally, including Verizon, AT&T and Vodafone.
If the hacking claims are true, GCHQ and the NSA would be able to use the stolen encryption keys “to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.” In other words, no need for a warrant or a wiretap, and no awkward evidence left on a communications provider’s network that communications were snooped upon.
That is, for anyone who cares about privacy, a nightmare scenario with potentially billions of calls, texts and emails vulnerable to covert spying by intelligence agencies.
According to Snowden’s documents, the alleged hacking operation took place during 2010 and 2011.
But today, Gemalto – which also produces ID chips for passports and other technologies – is trying to reassure the public, its partners and investors.
The corporation has today published a short statement saying it will hold a press conference on Wednesday 25 February about its investigation into the alleged hacking, but that it already believes that “Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure.”
A question, clearly, remains. If GCHQ’s slide was accurate in boasting “[we] believe we have their entire network”, how on earth can Gemalto say with any confidence what occurred in 2010/2011? After all, any digital fingerprints that the hackers might have left could have been entirely wiped by the hackers if they truly owned Gemalto’s computer system.
We shouldn’t forget, GCHQ is perfectly prepared to hack innocent, law-abiding companies if they believe that it will help them gather intelligence. Just look what happened at leading telecoms firm Belgacom, for instance.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.