The NSA and GCHQ, respectively the American and British secret services, have hacked sim card developer Gemalto, according to website The Intercept. The site obtained the information from documents released by NSA whistleblower Edward Snowden.
The secret services were interested in encryption keys of sim cards developed and sold by multinational Gemalto. The company produces about 2 billion sim cards yearly and has offices in 75 countries. Besides more than 450 telecom operators the company also has many financial organisations and governments as customer.
In total the NSA and GCHQ would have acquired more than 7 million encryption keys. The keys make it possible to eavesdrop on phone conversations with smartphones that use a Gemalto sim card. By obtaining the encryption keys the secret services could spy on users without requiring permission of telecom providers or governments. The keys can also be used to decrypt earlier intercepted phone calls.
Gemalto was not aware of the hack, which was documented by the GCHQ somewhere in 2010. The company was also unable to find traces of a hack after The Intercept informed the company. According to The Intercept GCHQ and NSA would have obtained the encryption keys by installing malware on computers of Gemalto employees.
In a document a GCHQ agent states to "believe we have their entire network". The agent also stated to be "very happy with the data so far and [was] working through the vast quantity of product."
In a statement Gemalto writes it will thoroughly investigate the hack. About the report from The Intercept, Gemalto states, "the publication indicates the target was not Gemalto per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent."
The company also states to have registered many hack attempts, but hasn't found any proof of hacking activities by the NSA. According to GCHQ its activities are according to European laws but the agency didn't want to comment on this specific situation. Also the NSA didn't want comment on the Gemalto hack.
