According to top-secret documents given to The Intercept by Edward Snowden, British and American spies stole encryption keys from the largest SIM card manufacturer in the world. This could make it a lot easier for the NSA to conduct widespread surveillance of wireless communications without ever asking permission or even letting on that it's doing so.

With these stolen keys, the NSA and GCHQ (the British equivalent) have the ability to conduct surveillance on our phones without getting warrants or asking permission from telecom companies or foreign governments. The SIM card manufacturer, Gemalto, sells to Verizon, AT&T, Sprint, T-Mobile, and over 450 wireless carriers worldwide, so the theft gives spies a tool to unlock an untold number of communications by effectively neutering telecom companies' security.

Advertisement

It's a hell of a heist, documented by The Intercept's team in highly disturbing detail:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. "Once you have the keys, decrypting traffic is trivial," says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. "The news of this key theft will send a shock wave through the security community."

The NSA conducts surveillance in two ways, as The Intercept explains. Passive surveillance methods collect data "sent over fiber optic cables, radio waves or wireless devices." This is done by strategically putting antennas capable of hoovering data up. Telecom companies use encryption in their more recent networks (3G, 4G, and LTE) to prevent this kind of surveillance. This means the NSA would have to decrypt the data before they could actually hear a phone conversation or read texts. Access to these keys gives them the means to decrypt some of that data; it actively works around the privacy protections telecom companies have in place for people who use them.

Advertisement

Active surveillance is riskier, because it requires spies to jam 3G and 4G networks to force phones onto older 2G networks, which are less secure. That takes away the need to decrypt, but it also makes it obvious that something fishy is going down. With the stolen encryption keys, the NSA doesn't have to go through the trouble of actively jamming phones it wants to spy on.

This is bad news for pretty much anyone with a phone, since it's highly likely that your phone contains a Gemalto-manufactured SIM card, and that means your conversations can be easily monitored. It's also bad news for governments other than the U.S. and U.K., since these encryption keys give them an easy way to spy in foreign countries without asking permission (that they'd never get). And it's really bad news for Gemalto, since the NSA and GCHQ cyberstalked and hacked its employees to obtain the keys.

If you use secure communications apps like TextSecure, SilentText, and Signal, they will still throw a wrench in surveillance, since the added layers of security can't be circumvented with just the stolen encryption keys. Using Google and Yahoo email also offers more protection than regular phone calls and SMS, since the big email providers use additional security.

Obama has been talking the talk about curbing abuses of power when it comes to surveillance, but reports like these highlight how broad and unfettered the NSA's spying missions are, and how thoroughly they shit on any notion of a reasonable expectation of privacy. This needs to end. [The Intercept]