The Intercept published a startling report Thursday that details how British and American intelligence agencies hacked into a company that produces SIM cards used by cell phone carriers all over the world — including all the major players in the U.S. market. The report is based on leaked documents from Edward Snowden, some of which are published along with the article.
It's a lengthy and detailed piece, but here are the important points that you need to know now:
Spy agencies hacked a major company that produces cell phone SIM cards.
Gemalto, the world's largest SIM card manufacturer, is headquartered in the Netherlands. It also has facilities all over the globe, including in Texas and Pennsylvania. In addition to cell phone SIM cards — tiny pieces of hardware that decrypt cell phone communications — Gemalto also makes chips for credit cards and other technology.
Hackers with the National Security Agency and the U.K.'s Government Communications Headquarters broke into Gemalto's computer networks remotely after searching employee emails for useful information.
You probably have Gemalto technology in your pocket right now.
Gemalto's chips are used by Verizon, AT&T, Sprint, and T Mobile. They're used in next generation credit cards; the company's clients include Visa, Mastercard, American Express, and other financial institutions. And Gemalto chips can be found in Audi and BMW cars.
The chips are even embedded in American passports.
Altogether, Gemalto produces a total of about 2 billion SIM cards every year. A top secret slide included in The Intercept's story states that the spy agencies "successfully implanted several machines and believe we have their entire network."
The spy agencies were after data that would allow them to snoop on millions of cell phones — without a warrant.
The goal of the hack was to get encryption keys to SIM cards, which allow cell phones to communicate privately with a wireless network. Thanks to these encryption keys, even if someone were to intercept your call over the air, the conversation would still be garbled.
That's a problem for spies, however, so government agencies decided to steal the encryption keys used in SIM cards around the world.
After hacking into Gemalto's systems, the spy agencies were able to steal encryption keys in bulk as they were being transmitted to cell phone companies. The spy agencies reportedly intercepted millions of encryption keys.
Security expert Matthew Green told The Intercept that this method meant it's "pretty much game over for cellular encryption."
All of this became necessary — at least from the spy agencies' point of view — because more and more people around the world are using 3G, 4G, and LTE networks, which use more advanced encryption than the earlier 2G networks.
Gemalto had no idea this was going on.
Executive vice president Paul Beverly told The Intercept that the NSA had never asked for permission to access encryption keys. More astonishing still, after reporters contacted the company this week, it launched an investigation and couldn't find any evidence of the hack.
The scale of the hack was truly global and gives the American and British spy agencies unprecedented access to cell phone information.
According to The Intercept, the hackers targeted Gemalto facilities in Europe, North America, South America, and Asia. Gemalto chips also ship all over the world and are used by 450 worldwide wireless networks.
The Intercept argues that given the size and influence of Gemalto, the security breaches outlined in the leaked documents are particularly alarming. The piece also notes that cell phones are increasingly becoming a tool for transferring money — e.g. Apple Pay — and that fixing current security gaps may cost billions of dollars.