It’s hard to know when the Edward Snowden revelations will stop coming, but Thursday 19th February brought another one – this time that Britain and America had been able to compromise the security of the most popular mobile telephone technology in the World.
Almost all mobile phones need a small card, known as the subscriber identity module – or SIM before they can be used. The SIM contains a small integrated circuit and some memory, it is responsible for identifying the phone on the network so that calls can be routed to and from individual handsets. The SIM also authenticates the handset, helps locate it on a network and has a small amount of memory given oven to storing SMS messages and contacts. SIMs are fairly old technology, so although modern phones have often switched to smaller sized SIMs, the underlying design is pretty much unchanged since they were introduced in the early 1990s.
The area of mathematics concerned with secrecy is called cryptography. Mobile phones use several different types of cryptography to perform different task, all of which require special keys – essentially long, unique chains of numbers which are used to turn meaningful data into apparent nonsense before being sent over the network, and then – as if by magic turning that gobbledegook back into useful information.
Burned into every SIM is a unique encryption key called KI. A matching copy of KI goes to that SIM’s telecom company and is stored in a secure database. When the SIM is inserted into a mobile phone and powered on, the phone must first be authenticated.
The network notices the new phone and sends it a large randomly generated number. A computer algorithm stored on the SIM known as A3, uses KI and the random number from the network to produce another very large number called the Signed RESponse (SRES) which is sent back to the network. While this has been happening, the network has been performing the same task using its own copies of A3, the random number and KI to produce its own SRES. The two values are compared by the network, if they match, the phone is authenticated and it is allowed on to the network.
After the phone is authenticated, KI is needed to secure phone calls. Every time you make or receive a call, your phone generates a new encryption key to scramble the message. This time, a random number and KI are passed to another algorithm, called A8, to create a new key - KC. KC is used by the phone’s own hardware along with yet another algorithm, A5, to encrypt and decrypt data in real time so there are no annoying pauses in your conversation. At the end of the call, KC is thrown away and a new one must be generated for your next call.
So, once you know KI, you can not only fool a mobile phone into authenticating any device, know when individual SIMs connect to the network. You can also decrypt any communications made using that SIM so long as you can get hold of the random number originally used to create KC – and these numbers are sent over the network, vulnerable to interception.
It is possible to break mobile phone encryption without knowing KI. The A family of algorithms are fairly elderly and have been subject to enormous amounts of investigations. During these tests, weaknesses have been found that allow attackers to break the codes much faster than with a more secure form of encryption. However, it is much, much quicker to perform surveillance if you already have access to the keys. KI is the weakest point in mobile phone security, and that is why it was successfully targeted by the intelligence services.
Rather than intercepting SIMs as they were transported to their destination or demanding copies of the keys from telecom companies, GCHQ and the NSA attacked the point where the keys are most vulnerable – at the point they are made. Their target was Gemalto, a Dutch company that most people have never heard of, but which is responsible for manufacturing and shipping a sizeable proportion of the world’s SIMs to the telecom companies who provide mobile services. British and American intelligence agencies used information unwittingly provided by a Gemalto employee to compromise the corporation’s internal network, and from there to gain illicit access to the most secure computers and stole copies of the KI keys before they could be burned into SIMs and copies distributed to telecom companies.
It is uncertain exactly how many networks and phones have been compromised by this scheme, but the released GCHQ documents suggest successful trials were made against telecom operators in Iran, Afghanistan, Yemen and that hotbed of international terror – Iceland. Certainly millions, if not hundreds of millions of keys have been copied, most of which will still be being used by people who are entirely innocent of any crime, yet who are now open to surveillance without any court order or legal redress. The activities of the intelligence services will have violated Dutch law where Gemalto is headquartered and they may have broken the laws of many other countries where the keys were actually distributed.
As a temporary fix, new SIMs could be issued to every user – a hugely expensive task for which there is probably not the commercial or political demand; but in the long term, it is perhaps time to think about better ways of securing our communications than the creaky old SIM.
If you'd like to understand the basics of how digital devices talk to each other...
If you want to take steps to protect yourself online...
Do you think you're being watched when you're at work...
If you'd like more on just how secure all this security is...