The Great Sims Heist

By Jeremy Scahill and Josh Begley


Jeremy Scahill and Josh Begley have wrote an article called the “The Great Sims Heist” It outlines the heist by the NSA and the British agency called Government Communications Headquarters (GCHQ) to steal Sims Card Encryption Keys. This lets them debug and listen in on millions of cell-phone calls across the globe.


The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries, with one of its headquarters in Austin, Texas.


Gemalto was totally oblivious to the penetration of its systems — and the spying on its employees before the hack was revealed by National Security Agency whistleblower Edward Snowden.

To gauge the importance of this hack: It’s like being the superintendent to an apartment complex with a master set of keys for every apartment.

“Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union.


Most significantly, GCHQ also penetrated “authentication servers,” allowing it to decrypt data and voice communications between a targeted individual’s phone and his or her telecom provider’s network.


Today, second-generation (2G) phone technology, which relies on a deeply flawed encryption system, remains the dominant platform globally, though U.S. and European cell-phone companies now use 3G, 4G and LTE technologies. These include more secure, though not invincible, methods of encryption, and wireless carriers throughout the world are upgrading their networks to use these newer technologies. But you must understand that SIM cards were not invented to protect individual communications — they were designed to ensure proper billing and prevent fraud, which was pervasive in the early days of cell-phones.

GCHQ operatives identified key individuals and their positions within Gemalto and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations.


From December 2009 through March 2010, a month before the Mobile Handset Exploitation Team was formed, GCHQ conducted a number of trials aimed at extracting encryption keys and other personalized data for individual phones. In one two-week period, they accessed the emails of 130 people associated with wireless network providers or SIM card manufacturing and personalization.


This operation produced nearly 8,000 keys matched to specific phones in 10 countries. In another two-week period, by mining just six email addresses, they produced 85,000 keys. At one point in March 2010, GCHQ intercepted nearly 100,000 keys for mobile phone users in Somalia. By June, they’d compiled 300,000.


The GCHQ documents only contain statistics for three months of encryption key theft in 2010. During this period, millions of keys were harvested. The documents stated explicitly that GCHQ had already created a constantly evolving automated process for bulk harvesting of keys. They describe active operations targeting Gemalto’s personalization centers across the globe, as well as other major SIM card manufacturers and the private communications of their employees.

The GCHQ program targeting Gemalto was called DAPINO GAMMA.

In 2011, GCHQ launched operation HIGHLAND FLING to mine the email accounts of Gemalto employees in France and Poland. A top-secret document on the operation stated that one of the aims was “getting into French HQ” of Gemalto “to get in to core data repositories.” France, home to one of Gemalto’s global headquarters, is the nerve center of the company’s worldwide operations.


Since the newer phone networks are using 3G and 4G type systems they are harder to crack especially in bulk so active surveillance is the other option. You can also “jam” a 3G or 4G network, forcing the phone to revert onto a 2G network. Once forced down to the less secure 2G technology, the phone can be tricked into connecting to a fake cell tower operated by an intelligence agency.


Gemaltos's chips are not only used in cell phones, but are used by Visa, Mastercard, American Express, and JP Morgan Chase. They also provide chips for luxury cars, and to the Chinese firm Unicom. In 2012, Gemalto won a contract to produce the covers for the new electronic U.S. Passports, which contain chips and antennas that can be tracked.

In addition, currently cell-phones and wireless network providers do not support the use of Perfect Forward Secrecy (PFS), a form of encryption designed to limit the damage caused by theft or disclosure of encryption keys. PFS, which is now built into modern web browsers and used by sites like Google and Twitter, it works by generating unique encryption keys for each communication or message, which are then discarded.


Some of the more effective ways for individuals to protect themselves is to use secure communications software that uses the Transport Layers Security (TLS), that is the mechanism underlying the secure HTTPS web protocol. Some alternatives for cell phone users would be to use TextSecure, and Silent Text to secure SMS messages. These apps can be intercepted, but one would have to hack the encryption in order to read the messages. This is just a quick outline of what was covered in the article. To read the full article I provided the link below.


Lance West


Lance West



  • Cyber-Security


  • Information Assurance training


  • IT Risk Analysis


  • BIA/BCP Development


  • Software Security


  • Databases
Print | Sitemap
© DigiBrains LLC