Gemalto may need to recall SIMs: Snowden
NSA whistleblower says compromised encryption not fixable
NSA whistleblower Edward Snowden has characterised the alleged NSA-GCHQ campaign to compromise Gemalto SIM cards as "more significant" than a related state-sponsored campaign to embed spyware in the firmware of hard-disk drives, and suggested that an entire recall of Gemalto SIMs may be necessary to purge spy agencies' monitoring tools from mobile handsets.
Responding to a question about the hard drive campaign during an AMA session on Reddit, Snowden said "firmware exploitation is nasty", but expressed deeper concern over the operation to steal encryption keys for Gemalto SIM cards, which would allow open monitoring of all data sent over mobile networks from those SIMs.
Earlier this month, Moscow-based cyber-security company Kaspersky Lab, said it had found monitoring malware in the hard drive firmware of PCs in 30 countries; target organisations included government departments, military branches, telecoms companies, banks, energy companies, nuclear researchers, media groups, and Islamic activists.
Though Kaspersky did not name the country responsible for the operation, only referring to the architects as "the Equation group", it said the malware was closely linked to Stuxnet, the worm blamed for the disabling of Iran's uranium centrifuges in 2010. Stuxnet was widely reported to be the handiwork of Israeli and US architects and the NSA has previously been accused of being the ringleader in the campaign.
Snowden noted that Kaspersky had "stopped short of naming [the perpetrator] specifically as NSA, although authorship is clear".
Continues on next page>>
But he reserved his sternest comments for the joint operation between the US National Security Agency and its UK counterpart, GCHQ. The pair were named in a report by The Intercept, earlier this week, which described a campaign to monitor network communications through SIM cards made by Netherlands-based Gemalto. Many of the world's largest mobile carriers use Gemalto's SIMs, including US giants AT&T and Verizon, and the UAE's Etisalat Group.
"Although firmware exploitation is nasty, it's at least theoretically reparable," Snowden posted, during the AMA. "Tools could plausibly be created to detect the bad firmware hashes and re-flash good ones. This isn't the same for SIMs, which are flashed at the factory and never touched again."
The NSA-GCHQ operation "compromised the security of potentially billions of phones", Snowden pointed out, adding that problems had been created for both subscribers and Gemalto, because the only way to fix the problem was to "recall and replace every SIM sold by Gemalto".
He further commented: "Our governments - particularly the security branches - should never be weighing the equities in an intelligence gathering operation such that a temporary benefit to surveillance regarding a few key targets is seen as more desirable than protecting the communications of a global system (and this goes double when we are more reliant on communications and technology for our economy productivity than our adversaries)."
Gemalto initially downplayed the significance of the accusations but has since promised a full inquiry, the results of which the company will announce tomorrow.
When one poster signalled scepticism over Gemalto's damage-control statements, Snowden wrote: "I wouldn't believe them either. When we're talking about how to weigh reliability between specific government documents, detailing specific Gemalto employees and systems (and tittering about how badly they've been owned), against a pretty breezy and insubstantial press release from a corporation whose stock lost EUR500m in value in a single day, post-report, I know which side I come down on."
The Reddit AMA was held for filmmaker Laura Poitras, who won an Oscar this week for her documentary "Citizenfour", a movie showing interviews with Snowden in Hong Kong. Joining Poitras and Snowden was US-based lawyer and Guardian journalist, Glenn Greenwald, who wrote many of the earliest reports on Snowden's revelations.