Tag Archives: GCHQ

Gemalto Attack – We Don’t Really Know

I wrote a couple of days ago that The Intercept reported that the SIM and banking card maker Gemalto was hacked by GCHQ and NSA.

Well, now, after just a couple of days, Gemalto says not to worry, everything is cool.    We looked at our logs and while GCHQ might have gotten into our corporate network, we don’t see anything in the logs that show they got into the part of the network where SIM cards are stored and anyway, that would not affect 3G and 4G networks.  Note that they did not say that GCHQ did not get in – just that they don’t see anything in the logs to that effect. 

In addition, they said their security is so good that even GCHQ with NSA’s help could not get in.  Really?  The only network for which that is true is one that is not connected to anything.  Ever.  And I am not sure about that.  Think about Iran’s Stuxnet attack.  That network was not connected to the outside world and we managed to hack that with a couple of thumb drives.

As the cryptographer and privacy advocate Bruce Schneier said (see article) said:

“It makes no sense that in a couple of days they are anything resembling confident that the NSA didn’t break their security. An NSA attack would be undetectable,” Schneier says. Plus, it takes weeks to fully investigate attacks, not days, says Schneier, who is CTO of Co3 Systems.

After all, if you take a group of master hackers like those in NSA’s TAO (tailored access operations) group, surely, you could just look at the logs and see “Kilroy was here”. NOT!

I appreciate that they need to do damage control to salvage the mess that they were placed in by the NSA and maybe what they are saying they actually believe, but to think that in a few days they can definitively say that GCHQ or the NSA was not in here is pure bull.

I suspect we will see more.


GCHQ Pilfers Encryption Keys To Cell Phones

We have known for a long time that the encryption on cell phone calls and text messages was relatively weak, but apparently, cracking that was more work than GCHQ, the British version of the NSA, wanted to do.

People have been beating up the NSA for being, well, the NSA.  I have said, whether we agree with them or not, they are just doing what they have been told to do and maybe they are a little smarter than some other spy agencies, but they are not doing anything that the other spy agencies are or want to do.

So now it is GCHQ’s turn in the spotlight.  Dark Reading is reporting (see article and article) that GCHQ, with NSA’s help, broke into the world’s largest SIM card manufacturer, Gemalto,   Gemalto’s cards are used by AT&T, Verizon, Sprint and T-Mobile, as well as bank cards, passports and other identity cards around the world.  Just to make sure they weren’t missing anything, they also had a project to break into the cell phone companies and grab their encryption keys as well.  The source of this information is … you guessed it … Edward Snowden.

The breaking in to the cell phone companies core networks also allowed them to supress charges that might have raised suspicions and have access to customer data.

Gemalto makes two billion SIM cards a year, all “owned” by GCHQ and the NSA.  Along with whoever else they shared this with.

The stolen keys give GCHQ and NSA the ability to read any text message or listen to any phone call without the need to have to crack the crypto involved.

Using very standard phishing attacks, GCHQ planted malware on Gemalto’s network that gave them complete remote access to the network.

Possession of these keys allows the spies to send fake text messages, sign malicious Java apps and set up fake cell towers, along with listening to all phone calls.

One question to ask, of course, is whether GCHQ and NSA are the only organizations who could and did do this – did any hackers do the same thing?  The only real answer is who knows, but from what is being reported, this hack did not require James Bond;  it is a relatively run of the  mill hack of a large organization with typical (i.e. poor) security.  In Gemalto’s defense, protecting any large organization from a well designed spear phishing attack is hard.

Having the encryption keys also relieves the spy agencies of the necessity of ask the FISA court, the secret court that the spies go to and ask permission to, well, spy, and ask for a warrant.  With warrant in hand they go to the cell phone company and ask for the data.  Now they don’t have to bother with that.  Convenient.

An interesting thought.  If these chips are used in passports and a hacker had done the same thing that Snowden reports GCHQ did, they could creat fake passports for terrorists.  They also could create fake chip and pin credit cards or hack real ones.

This is one reason why an enterprise risk assessment is so important.  An assessment would identify the company’s crown jewels (in this case, the encryption keys) and try to make that data more resistant to attack.

Now that is is known, it is unclear what the cell phone and identity card companies will do.

What this does point to is that the only encryption that is likely to have any remote chance of being secure is end to end encryption where you manage the keys and no provider has access to the keys.  Encryption provided by phone companies, dropbox, Facebook, Google and Microsoft is likely completely compromised.  This type of encryption is also the most inconvenient way for users to manage encryption – they would prefer to snap their fingers and have it be secure.  While the work of GCHQ and the NSA has privacy concerns, if they could do this, so could the Chinese, Russians and probably at least a large handful of hackers.  Among others.  THAT is a big concern.