Are they basing this on the specific type of key discussed in the documents? I don't know a lot about it, but I'm inclined to believe there are valuable keys burned-in to 3G+ cards too.
I also wonder if there is a downgrade attack to force 2G, so that those keys are not completely worthless.
So whilst it would be possible to decrypt phone connections if you had your hands on the original secret Ki stored in the SIM, you'd have to record every connection between the phone and the network in order to obtain all the subsequent keys as well & if you miss out on the initial sign-on, or any individual re-keying then you’ll be shut out of that phone’s radio communications thereafter.
I imagine the NSA would be willing to try and do this for some target networks, but where they already have internal network access (US/UK/Five Eyes, any other network they've hacked into) it would be a lot of pointless effort.
The fake base station attack presumably works by forcing a downgrade to 2G, which is another approach, but one that requires local assets on the ground within phone range (unless you can do something with high gain antennas pointed at a specific target phone from a distance? That sounds hard, but the NSA likes hard as we know - throwing resources at something isn’t a problem for them.)
Short version: Knowing the OTA key lets you push malware to the target phone SIM which you can use to surreptitiously exfiltrate data from the phone via SMS messages, amongst other things.
3G/4G somehow uses random, short lived keys for encrypted communication, which change frequently enough to be a pain.
EDIT: It has been a while since I studied this, but I believe the shared key is used for trust - that this isn't a fake base station and the client is who they say they are. Then they use the equivalent of public key cryptography to establish short lived encryption keys. Stealing keys would probably enable a MitM only?
The problem is that whilst, yes, unique and constantly rotating randomness is used to establish unique session keys, the session keys are derived from the random nonce that's an encryption of the network selected randomness. In other words if you have the SIM key, you can figure out what the session keys also were. Ultimately the standard SIMs don't seem to use asymmetric crypto anywhere, meaning a compromise of the SIM key still allows you to undo all the encryption. Ultimately everything is derived from these shared keys.
And yes the problem of 2G downgrade attacks remain. There doesn't seem to be any good solution for those short of phasing out 2G entirely.
Sorry for being OT, but maybe HN should recheck whether downvoting a comment just to express disagreement about a factual statement (as opposed to punishing bad or trollish ones) is conducive to a civil and constructive discourse here.
Unless it is so bad it goes grey, I can't see any indication.
Now, while this is true, I believe that a bad actor can still listen to the radio transmissions passively and decrypt those. But that is a lot harder than just plugging in to the tower and listening.
http://blog.cryptographyengineering.com/2013/05/a-few-though...
You can very cheaply(~$100) buy a 2G/3G/4G jammer from any Chinese wholesaler site(but don't,because it's illegal pretty much everywhere). Most of these jammers have a switch to jam only 3G and 4G, leaving 2G functional - that would force the phone you are attacking to switch to 2G mode as it couldn't find any 3G/4G towers.
Their protection is that many MNOs are using proprietary authentication algorithms, making it harder to scale global surveillance. But that applies equally to 2G/3G/4G.
That said, I wonder if Gemalto really had any other option than to say its keys weren't stolen. What might be the cost of replacing all affected SIM cards?
No kidding, they've been bought, under more-than-suspicious circumstances, by [inQtel](https://www.iqt.org/) and [Texas Partner Group](https://tpg.com/), which officially are CIA proxies.
I don't think they had to resort to tailored access to perform their heist, I'd rather bet that they still have enough former colleagues inside Gemalto to get whatever they want by simply entering the correct password on the correct keyboard.
The statement made is pretty much a text book declaration of damage control. Personally I'm not buying their claims, but only they can proof it happened and they never will as the market will loose complete faith in buying from them.
If you're based in the Netherlands, no such justification is necessary.
But it seems like that isn't really needed because the stolen keys were mostly replaced already anyway. Anyone who suspects they might be a person of interest can always just request a new one from their carrier.
The Ki database has to be distributed to so many places in and around the network that it isn't surprising that it is schlepped around using insecure means.
Of course in an ideal world the keys should never be accessible by a human, they should have been generated in a set of HSMs at the SIM manufacturer that are transferred physically to the network operator. In reality this doesn't happen as that takes time and money and is an overall logistical nightmare.
Mobile carriers use lots of professional services "experts" from the vendors they buy from, it is rare to have in-house engineers running and maintaining the systems as those tasks are usually outsourced.
Such engineers will have done a 4 week course with Nokia-Siemens-Networks, Huawei or Ericsson and they are sent out into the field with a crappy laptop and a few tools, they are just expensive "remote hands" without any real knowledge.
This is how it would play out from a 3rd level support/engineer back at Telco HQ -
In-house expert: Hi Mr Field Engineer, I need you to restore that HLR you are looking at, I can't reach it from here, and I need to send you a file securely to restore to that node, do you use PGP? Do you have the emergency encrypted USB stick with you?
Outsourced Engineer: PGP? I don't know how to program, isn't that for making web-sites? USB stick, yes I have a new one in my bag I bought for downloading movies.
In-house expert: No, that is PHP, don't worry about that for now, do you have any decryption software on your laptop?
Outsourced Engineer: No, but my laptop is already unlocked, I've typed in my account and password.
In-house expert: I have my boss screaming at me and the call-center is overloaded with complaints, do you know how to use SCP?
Outsourced Engineer: SCP?
In-house expert: OK, how about FTP, do you have an FTP client?
Outsourced Engineer: Yes, I've got that, I use it for sending firmware to Cisco routers.
In-house expert: No, not TFTP, FTP! Do you know what that is?
Outsourced Engineer: Huh?
In-house expert: OK, how about a corporate email account?
Outsourced Engineer: No, I'm working for "XYZ Solutions" and I'm on a probationary period, I have a hotmail account, does that help?
In-house export: OK, I suppose that will have to do, please just delete the email from hotmail and make sure you delete that file later from your PC.
Outsourced Engineer: OK, you mean just drag it to trash on this 4 year old Windows XP laptop I'm using?
sigh
A bit surprising they promote security by obscurity though:
"Security is even higher for mobile operators who work with Gemalto to embed custom algorithms in their SIM cards. The variety and fragmentation of algorithmic technologies used by our customers increases the complexity and cost to deploy massive global surveillance systems."
But that is the problem, they shouldn't really be in a state that could ever be read by a human, they should be on individual HSMs that are distributed around the networks from the SIM manufacturer.
The problem is that there isn't a real standard on how to exchange HSMs between SIM manufacturers and the network operators that use different jury-rigged hacks for everything.
The mass deployment of HSMs would add a huge cost and involves additional hardware development and integration in mobile networks that already work perfectly.
If the SIM manufacturer insisted that the keys would never be given in a plain-text format but only as individual non-dumpable HSMs then that would force the network equipment vendors and mobile operators to deploy the technology.
This isn't going to happen as the SIM company will lose business to a competitor and the mobile network operator will not spend their budget on such a project that adds zero functionality to their existing (and completely operational) network.
I'm illustrating how easily such a file is leaked because the people employed in mobile network maintenance are incompetent and the systems are not updated and kept secure.
Its a little disturbing that the "sophisticated" attacks they detected don't really sound all that sophisticated. Is spoofing an email and sending a PDF/Office exploit really considered sophisticated? While its a step above the most basic script-kiddie type stuff, that isn't unreasonable for even normal pentesting to do, and I wouldn't consider it an indicator of a nation-state attacker at all. Even if the attack was using 0-day in the attachment viewer, its not unheard of for malware kits to employ similar techniques.
It definitely says something that those attacks were at least partially successful against systems Gemalto thinks could have resulted in the theft of sensitive crypto keys.
Generically, no, but the details can vary widely. If the email looks exactly like an internal email, and appears to come "from" someone the target knows, and the content references processes, info, or idioms common to that company or person, then that would be pretty darn sophisticated. Not technologically (an email is an email, after all), but socially.
From the technology side, the specifics of the exploit, and what the malware tries to do in the PC/network after the spear phish succeeds, can also indicate varying levels of sophistication. If the spear phish contained a zero-day OS exploit (previously unknown vulnerability), that would be pretty darn sophisticated.
I have no knowledge of the particulars of Gemalto--just speaking generally about how a spear phish attempt might be evaluated.
Maybe. I'd say a targeted email, using a believable, researched sender address and relevant contents, would be fairly sophisticated. It would certainly be way more effective than the bulk 'please pay this generic invoice' exploits that I get spammed with.
Four to five years after the hacks happened, Gemalto says it was all not so bad, they really really checked this time and they have super duper server logs they grepped twice to be sure.
That's a bit unfair. Gemalto say:
- "The risk of the data being intercepted as it was shared with our customers was greatly reduced with the generalization of highly secure exchange processes that we had put in place well before 2010."
- "The report... also states that when operators used secure data exchange methods the interception technique did not work."
- "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen."
- "A list claiming to represent the locations of our personalization centers shows SIM card personalization centers in Japan, Colombia and Italy. However, we did not operate personalization centers in these countries at the time."
There's a lot of valid points in Gemalto's report, and it seems dishonest to write it off so pettily.
I agree they have valid points that are worth setting the record straight on. But conveniently for Gemalto they distract from the core issue, which in my opinion is that they have been owned and are in denial of it.
Hopefully it's just PR and they are scrambling internally to keep spies out.
I wonder if they're going to reissue the root key. And if they do, how can I, as an AT&T Wireless customer, know that my new SIM is using it?
Since I have no way of knowing if my personal SIM key was stolen, I'll have to wait until AT&T works their way through their existing stock of SIMs and then request a new one. And hopefully get one that wasn't exposed.
Is the advantage solely that they don't need to intercept the traffic as a middleman to ask the target to downgrade?
If you had to force cell phone connections to A5/0, you would have to:
1) Have to both receive and transmit.
2) Have a stronger connection than any other nearby cell towers.
3) Have a backbone connection back into the network so that you can actually negotiate phone calls to users connected to other cell phone towers.
4) Have to be able to handle multiple simultaneous connections. Some MITM spoof cell towers only establish a connection for the person of interest, and all other devices in the area loses connection. A pretty tell tale sign of a rogue base station operating in an area.
So in short it is much easier just to have the keys...
Are not all the ciphers breakable post collection anyways? Is it fair to say that this is effectively for the purpose of blanket non-targeted surveillance? Where by having the keys in their possession it gives them a shortcut for bulk analysis and saving CPU time that would otherwise be spent breaking encryption.
And a cpu-processing-savings advantage justified cyber-attacking a foreign civilian corporation?
I'm not buying this. If the fake emails were sent to the customer, wouldn't the operator be the one who detects the malicious address? So how is Gemalto informing the customer that the mails are malicious?
I don't understand this. First, it's well known that intelligence services passively listen to and collect any and all radio traffic. The issue then is can that traffic be decrypted, not can the traffic be spied on. Related to that is of course the use of frequency hopping -- but as I understand it, if frequency hopping uses N bands, and you have N antennas/radios at your disposal, you could listen and record all of them.
Secondly, we all know that if you have a sim card, you can connect to a 3g/4g network. What they seem to be implying, is that 3g/4g uses asymmetric encryption (certificates) for authentication, and that only the sim card knows its own secret key. Does anyone know is this is true? Did 3g/4g move away from shared-secret to asymmetric keys?
I hope I'm missing something -- because if not this press release is basically full of placating lies.
That's what they think...
Just carry on. Please.
* But be vigilant!
