Gemalto may need to recall SIMs: Snowden

NSA whistleblower says compromised encryption not fixable

Tags: Gemalto NV ( LabNetherlandsUSAUnited Arab Emirates
  • E-Mail
Gemalto may need to recall SIMs: Snowden Snowden: [The NSA-GCHQ operation] compromised the security of potentially billions of phones.
By  Stephen McBride Published  February 24, 2015

NSA whistleblower Edward Snowden has characterised the alleged NSA-GCHQ campaign to compromise Gemalto SIM cards as "more significant" than a related state-sponsored campaign to embed spyware in the firmware of hard-disk drives, and suggested that an entire recall of Gemalto SIMs may be necessary to purge spy agencies' monitoring tools from mobile handsets.

Responding to a question about the hard drive campaign during an AMA session on Reddit, Snowden said "firmware exploitation is nasty", but expressed deeper concern over the operation to steal encryption keys for Gemalto SIM cards, which would allow open monitoring of all data sent over mobile networks from those SIMs.

Earlier this month, Moscow-based cyber-security company Kaspersky Lab, said it had found monitoring malware in the hard drive firmware of PCs in 30 countries; target organisations included government departments, military branches, telecoms companies, banks, energy companies, nuclear researchers, media groups, and Islamic activists.

Though Kaspersky did not name the country responsible for the operation, only referring to the architects as "the Equation group", it said the malware was closely linked to Stuxnet, the worm blamed for the disabling of Iran's uranium centrifuges in 2010. Stuxnet was widely reported to be the handiwork of Israeli and US architects and the NSA has previously been accused of being the ringleader in the campaign.

Snowden noted that Kaspersky had "stopped short of naming [the perpetrator] specifically as NSA, although authorship is clear".

Continues on next page>>

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code