Did the US and UK hack their way into SIM cards used in mobile phones? That’s the question one SIM card maker is trying to investigate.
Dutch company Gemalto manufactures SIM cards for mobile phones, which it sells to around 450 carriers throughout the world, including AT&T, Verizon, T-Mobile and Sprint. The cards certain personal and normally secure information, including your phone number, billing information, contacts and text messages. These cards are protected by encryption keys to resist hacking.
But a story published Thursday by The Intercept claims that a joint unit of spies from the US’s National Security Agency and the UK’s Government Communications Headquarters, or GCHQ, hacked into the internal network of Gemalto and stole the encryption keys used to secure the company’s SIM cards. If true, that means the agencies would’ve been able to access personal data and tap into mobile phone voice and data communications from users around the world. Citing documents from former NSA contractor-turned-whistleblower Edward Snowden, the publication — founded by Glenn Greenwald, the journalist through whom Snowden’s revelations first were channeled — said the hacking occurred in 2010 and 2011.
The issue of government surveillance has been an undercurrent of concern over the two decades since the Internet began to become a part of everyday life for businesses and private citizens. But those worries exploded into a mainstream matter after Snowden’s first revelations two years ago, and others have taken up the torch. Just last week, for instance, security company Kaspersky raised a red flag over reports that the NSA can infect hard drives with surveillance software to spy on computers.
Reacting to the claims about its SIM cards, Gemalto issued a statement Friday saying that it is looking into the matter.
Neither Gemalto nor the NSA immediately responded to CNET’s request for comment. But a spokesperson for the GCHQ sent the following statement:
It is longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee. All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European Convention on Human Rights.
Based in the Netherlands, Gemalto reportedly makes two billion SIM cards per year. Clients include AT&T (, Tech30), T-Mobile ( ), Verizon ( , Tech30), Sprint ( ) and about 450 other global telecom firms, according to the report. It also makes chips for credit cards and works with over 3,000 financial institutions.