FRANKFURT (Reuters) - U.S. and British spies hacked into the world’s biggest maker of phone SIM cards, allowing them to potentially monitor the calls, texts and emails of billions of mobile users around the world, an investigative news website reported.
The alleged hack on Gemalto (GTO.AS), if confirmed, would expand the scope of known mass surveillance methods available to U.S. and British spy agencies to include not just email and web traffic, as previously revealed, but also mobile communications.
The Franco-Dutch company said on Friday it was investigating whether the U.S. National Security Agency (NSA) and Britain’s GCHQ had hacked into its systems to steal encryption keys that could unlock the security settings on billions of mobile phones.
The report by The Intercept site, which cites documents provided by former NSA contractor Edward Snowden, could prove an embarrassment for the U.S. and British governments. It opens a fresh front in the dispute between civil liberties campaigners and intelligence services which say their citizens face a grave threat of attack from militant groups like Islamic State.
It comes just weeks after a British tribunal ruled that GCHQ had acted unlawfully in accessing data on millions of people in Britain that had been collected by the NSA.
The Intercept report (bit.ly/19E0KUK) said the hack was detailed in a secret 2010 GCHQ document and allowed the NSA and GCHQ to monitor a large portion of voice and data mobile communications around the world without permission from governments, telecom companies or users.
“We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques,” said Gemalto, whose shares sunk by as much as 10 percent in early trading on Friday, following the report.
The report follows revelations from Snowden in 2013 of the NSA’s Prism program which allowed the agency to access email and web data handled by the world’s largest Internet companies, including Google (GOOGL.O), Yahoo YHOO.O and Facebook (FB.O).
A spokeswoman for Britain’s GCHQ (Government Communication Headquarters) said on Friday that it did not comment on intelligence matters. The NSA could not be immediately reached for comment.
A European security source said that mobile devices were widely used by terrorist groups and that intelligence agencies’ attempts to access the communications were justified if they were “authorized, necessary and proportionate.” The source did not confirm or deny that the documents were from GCHQ.
The source also said Western agencies would sometimes hold on to data over time in order to decrypt the communications of specific intelligence targets.
The source added that wireless networks in Iran, Afghanistan and Yemen were viewed as having significance intelligence value. These were identified by the Intercept as countries where Britain’s GCHQ intercepted encryption keys used by local wireless network providers.
The new allegations could boost efforts by major technology firms such as Apple Inc (AAPL.O) and Google to make strong encryption methods standard in communications devices they sell, moves attacked by some politicians and security officials.
Leaders including U.S. President Barack Obama and British Prime Minister David Cameron have expressed concern that turning such encryption into a mass-market feature could prevent governments from tracking militants planning attacks.
Gemalto makes SIM (Subscriber Identity Module) cards for phones and tablets as well as “chip and pin” bank cards and biometric passports. It produces around 2 billion SIM cards a year and counts Verizon (VZ.N), AT&T Inc (T.N) and Vodafone (VOD.L) among hundreds of wireless network provider customers.
The European security source said that an assertion by The Intercept that GCHQ had taken control of Gemalto’s internal network was speculative and not supported by documentation published by the website.
The Intercept, published by First Look Media, was founded by the journalists who first interviewed Snowden and made headlines around the world with reports on U.S. electronic surveillance programs.
It published what it said was a secret GCHQ document that said its staff implanted software to monitor Gemalto’s entire network, giving them access to SIM card encryption keys. The report suggested this gave GCHQ, with the backing of the NSA, unlimited access to phone communications using Gemalto SIMs.
French bank Mirabaud said in a research report the attacks appeared to be limited to 2010 and 2011 and were aimed only at older 2G phones widely used in emerging markets, rather than modern smartphones. It did not name the source of these assertions.
Some analysts argued that if a highly security-conscious company like Gemalto is vulnerable, then all of its competitors are as well.
Gemalto competes with several European and Chinese SIM card suppliers. A spokesman for one major rival, Giesecke & Devrien of Germany, told Reuters: “We have no signs that something like that happened to us. We always do everything to protect our customers’ data.”
But while security experts have long believed spy agencies in many countries have the ability to crack the complex mathematical codes used to encrypt most modern communications, such methods remain costly, limiting their usefulness to targeted hijacking of individual communications.
Additional reporting by Abhirup Roy and Supantha Mukherjee in Bengaluru; Leigh Thomas, Cyril Altmeyer, Blaise Robinson and Nicholas Vinocur in Paris, Mark Hosenball in Washington,; Jens Hack in Munich; and Harro ten Wolde in Frankfurt; Editing by Andrew Callus and Pravin Char