Security agencies ‘stole codes’ to spy on mobile phones

GCHQ and NSA accessed SIM cards from Dutch firm, Snowden documents suggest

Britain's electronic spying agency and the US National Security Agency stole codes from a Dutch company allowing them to eavesdrop on mobile phones, documents suggest.

GCHQ and the NSA hacked into the networks of Netherlands-based Gemalto, to steal the codes, according to the documents given to journalists by NSA whistleblower Edward Snowden.

A story posted on the website The Intercept offered no details on how the intelligence agencies employed the eavesdropping capability - providing no evidence, for example, that they misused it to spy on people who were not valid intelligence targets.

But the surreptitious operation against the world’s largest manufacturer of mobile phone data chips is bound to stoke anger around the world.


It fuels an impression that the NSA and its British counterpart will do whatever they deem necessary to further their surveillance prowess, even if it means stealing information from law-abiding Western companies.

The targeted company, Gemalto, makes “subscriber identity modules,” or SIM cards, used in mobile phones and credit cards.

One of the company's three global headquarters is in Austin, Texas. Its clients include AT&T, T-Mobile, Verizon and Sprint, The Intercept reported.

The report offered no evidence of any eavesdropping against American customers of those providers, and company officials told the website they had no idea their networks had been penetrated.

Experts called it a major compromise of mobile phone security.

The NSA did not respond to a request for comment.

In the past, former agency officials have defended using extra-legal techniques to further surveillance capabilities, saying the US needs to be able to eavesdrop on terrorists and US adversaries who communicate on the same networks as everyone else.

The NSA, like the CIA, breaks the espionage and hacking laws of other countries to get information that helps American interests.

Still, the methods in this case may prove controversial, as did earlier Snowden revelations that the NSA was hacking transmissions among Google’s data centres

The Intercept reported that British government hackers targeted Gemalto engineers around the world much as the US often accuses Chinese government hackers of targeting Western companies — stealing credentials that got the hackers into the company’s networks.

Once inside, the British spies stole encryption keys that allow them to decode the data that passes between mobile phones and cell towers. That allows them to ungarble calls, texts or emails intercepted out of the air.

At one point in June 2010, GCHQ intercepted nearly 300,000 keys for mobile phone users in Somalia, The Intercept reported.

“Somali providers are not on GCHQ’s list of interest,” the document noted, according to the Intercept. “(H)owever, this was usefully shared with NSA.”

Earlier in 2010, GCHQ successfully intercepted keys used by wireless network providers in Iran, Afghanistan, Yemen, India, Serbia, Iceland and Tajikistan, according to the documents provided to The Intercept. But the agency noted trouble breaking into Pakistan networks.