Snowden: NSA stole SIM-card encryption keys from the manufacturer

New documents transferred to The Intercept by Edward Snowden suggest that as a result of a joint operation of the American and British intelligence services, encryption keys used in the manufacture of SIM cards were stolen from the Dutch manufacturer Gemalto . Every year, Gemalto released about 2 billion SIM-cards, which were distributed among mobile operators around the world. One of its headquarters is in Austin (Texas), and among its customers are AT & T, T-Mobile, Verizon, Sprint and another 450 GSM-operators. The motto of Gemalto is the slogan " Security to be Free ".

Although Paul Beverly, Gemalto's vice president, claims that he has no idea how such a leak could have happened, journalists suggest the reason could be penetration into an enterprise’s computer network and installing spyware. This is evidenced by one of the slides of the secret presentation of the GCHQ (Government Communications Headquarters, Center for Government Communications in the UK), which claims that the Gemalto computer network is at the disposal of the security services.

Having received SIM-card encryption keys, the NSA managed to kill several birds with one bullet: monitor mobile communications around the world without the permission of state authorities, get access to operator billing servers, be able not to leave any traces during surveillance, as well as decrypt intercepted data. It is probably responsible for this by a special unit of the NSA and GCHQ employees called Mobile Handset Exploitation Team (MHET), which was formed in April 2010 and the existence of which was not previously known to journalists.

As noted by Snowden, the intelligence services used social engineering techniques to gain access to the Gemalto computer network. In 2011, GCHQ launched Operation HIGHLAND FLING, the purpose of which was to retrieve the company's internal email addresses in France and Poland. The document, which is probably the report of one of the employees of the special service, describes the work with the employees of Gemalto. For example, in the development of GCHQ agents in Prague, there was a technical consultant of the company, whose online correspondence was monitored. The investigators found out that Gemalto employees use USB keys with SSL encryption to exchange mail and access secure online storage, so the consultant’s letters could not be read.