It would be another powerful tool in the arsenal of US and British spy services: encryption keys for a large share of the SIM cards used for mobile phones.
A report by the investigative news website The Intercept, citing leaked documents from former National Security Agency contractor Edward Snowden, said the US and British agencies “hacked into” European manufacturer Gemalto to gain these keys.
The report, if accurate, could allow the NSA and its British counterpart GCHQ to secretly monitor a large portion of global communications over mobile devices without using a warrant or wiretap.
“This is a huge deal,” said Bruce Schneier, “The things that are the most egregious are when the NSA hacks everybody to get a few people. Do we think this is the only company? Odds are low”.
“They’re getting encryption keys of everybody, including you and me. It’s a scorched earth policy.”
The report suggests the intelligence services could have access to a wider range of communications than has been previously reported. Other documents have indicated that the NSA can monitor email and traditional phone communications.
David Perry, threat strategist at the security firm F-Secure, called the revelations “the biggest story on mobile privacy we’ve seen so far.”
The report is troubling, Perry said, because of the methods described.
“Intelligence services are hacking all the time,” he said. “What concerns me is that they would go into a factory and spoil the security at the point of origination.”
The NSA did not immediately respond to requests for comment.
Gemalto said in a statement that it takes the matter “very seriously and will devote all resources necessary to fully investigate” the allegations.
Yet the report leaves many questions unanswered, and some experts were cautious about jumping to conclusions about the documents.
“One of the reasons I’m skeptical is that different governments have been using other methods to grab communications and wireless data which are unsecured to begin with,” said Darren Hayes, director of cybersecurity at Pace University’s School of Computer Science and Information Systems.
“I’m not sure that the US or UK governments would use hackers in the same way that the Chinese or Russians are doing.”
Schneier said more information is needed to know exactly what the encryption keys would provide, but says it is likely that they would allow access to the phone communications rather than the data transfer, so SMS or voice messages might be accessed but not Skype or other Internet-based services.
“I think the company should do what Sony did (after being hacked) — hire a forensics team,” Schneier said.
“We need details on how this was done and what can be done to remedy it.”
Source : Agence France-Presse