Friday, February 27, 2015

How the NSA Stole the Keys to Your Phone

By Julian Sanchez
 
A blockbuster story at The Intercept Thursday revealed that a joint team of hackers from the National Security Agency and its British counterpart, the Government Communications Headquarters (GCHQ), broke into the systems of one of the world’s largest manufacturers of cell phone SIM cards in order to steal the encryption keys that secure wireless communications for hundreds of mobile carriers—including companies like AT&T, T-Mobile, Verizon, and Sprint.  To effect the heist, the agencies targeted employees of the Dutch company Gemalto, scouring e-mails and Facebook messages for information that would enable them to compromise the SIM manufacturer’s networks in order to make surreptitious copies of the keys before they were transmitted to the carriers. Many aspects of this ought to be extremely disturbing.

First, this is a concrete reminder that, as former NSA director Michael Hayden recently acknowledged, intelligence agencies don’t spy on “bad people”; they spy on “interesting people.”  In this case, they spied extensively on law-abiding technicians employed by a law-abiding foreign corporation, then hacked that corporation in apparent  violation of Dutch law. We know this was hardly a unique case—one NSA hacker boasted in Snowden documents diclosed nearly a year ago about “hunting sysadmins”—but it seems particularly poetic coming on the heels of the recent Sony hack, properly condemned by the U.S. government.  Dutch legislators quoted in the story are outraged, as well they should be.  Peaceful private citizens and companies in allied nations, engaged in no wrongdoing, should not have to worry that the United States is trying to break into their computers.

Second, indiscriminate theft of mobile encryption keys bypasses one of the few checks on government surveillance by enabling wiretaps without the assistance of mobile carriers. On the typical model for wiretaps, a government presents the carrier with some form of legal process specifying which accounts or lines are targeted for surveillance, and the company then provides those communications to the government.  As the European telecom Vodaphone disclosed last summer, however, some governments insist on being granted “direct access” to the stream of communications so that they can conduct their wiretaps without going through the carrier.  The latter architecture, of course, is far more susceptible to abuse, because it removes the only truly independent, nongovernmental layer of review from the collection process. A spy agency that wished to abuse its power under the former model—by conducting wiretaps without legal authority or inventing pretexts to target political opponents—would at least have to worry that lawyers or technicians at the telecommunications provider might detect something amiss. But any entity armed with mobile encryption keys effectively enjoys direct access: they can vacuum up cellular signals out of the air and listen to any or all of the calls they intercept, subject only to internal checks or safeguards.



No comments: