Online publication The Intercept has revealed that US and British spy agencies hacked the systems of Dutch SIM card company Gemalto in 2010/11 and stole encryption keys, gaining access to the personal information contained on any phone connected via a Gemalto-made SIM card. Gemalto manufactures SIM cards for 450 telecommunication companies worldwide including Telstra, Optus and Vodafone.
A stolen encryption key can be used to gain access to information, such as the text message and phone call history, on any phone associated with a specific SIM card. Most importantly for the spy agencies, it allows them to listen into any phone calls being made from the hacked phone.
Yesterday, Mike Thompson from Linus Information Security Solutions told Fairfax that the alleged hacking of the Gemalto SIM card encryption keys would allow the security agencies to bypass wiretapping restrictions. Mr Thompson also suggested that the alleged actions were likely to be targeted towards specific individuals, rather than a wide-spread data breach.
Mr Thompson said that the replacement of every compromised SIM card would place a massive financial burden on telecommunication companies and that they would be “extremely reluctant” to do so.
SIM card company Gemalto yesterday said that initial investigation indicate that its SIM cards and other products are ‘secure’.
While I and many other Australians might have assumed that our smartphones are built with the latest security protocols in place, the reality of the matter is that they are still using obsolete security technology.
The security built into the basic layer of each smartphone comes from the encryption code used in each SIM card. As reported above, if someone gains access to the encryption key, sensitive information can be unlocked and accessed without the knowledge of the phone owner. Future smartphones are expected to be fitted with better security, such as that used by modern web browsers, which use Perfect Forward Security (PFS), a security software that generates unique encryption keys for each individual message, with those encryption keys then discarded soon after.
The only way to effectively secure your phone is to use secure communications software, rather than relying on your SIM card security to protect you. The email clients included in both Android and iPhone smartphones have an added layer of security called Transport Layer Security (TLS), which protects your emails from anyone who has access to your phone via SIM card hacking. Apps such as Silent Text or TextSecure allow you to send SMS messages securely from your phone while RedPhone, Silent Phone and Signal allow encrypted voice calls to be made.
What do you think? Should Australian telecommunication companies replace every SIM card manufactured by Gemalto? Are you worried about the potential breach of security on your phone? Or is it simply the people with something to hide who should be worried?