* U.S., UK spies hacked SIM card maker Gemalto's system
* News website cites documents from Edward Snowden
* Says gave spies ability to monitor calls on billions of
* Franco-Dutch firm Gemalto says it is investigating report
(Adds information from European security source)
By Eric Auchard
FRANKFURT, Feb 20 U.S. and British spies hacked
into the world's biggest maker of phone SIM cards, allowing them
to potentially monitor the calls, texts and emails of billions
of mobile users around the world, an investigative news website
The alleged hack on Gemalto, if confirmed, would
expand the scope of known mass surveillance methods available to
U.S. and British spy agencies to include not just email and web
traffic, as previously revealed, but also mobile communications.
The Franco-Dutch company said on Friday it was investigating
whether the U.S. National Security Agency (NSA) and Britain's
GCHQ had hacked into its systems to steal encryption keys that
could unlock the security settings on billions of mobile phones.
The report by The Intercept site, which cites documents
provided by former NSA contractor Edward Snowden, could prove an
embarrassment for the U.S. and British governments. It opens a
fresh front in the dispute between civil liberties campaigners
and intelligence services which say their citizens face a grave
threat of attack from militant groups like Islamic State.
It comes just weeks after a British tribunal ruled that GCHQ
had acted unlawfully in accessing data on millions of people in
Britain that had been collected by the NSA.
The Intercept report (bit.ly/19E0KUK) said the hack
was detailed in a secret 2010 GCHQ document and allowed the NSA
and GCHQ to monitor a large portion of voice and data mobile
communications around the world without permission from
governments, telecom companies or users.
"We take this publication very seriously and will devote all
resources necessary to fully investigate and understand the
scope of such sophisticated techniques," said Gemalto, whose
shares sunk by as much as 10 percent in early trading on Friday,
following the report.
The report follows revelations from Snowden in 2013 of the
NSA's Prism programme which allowed the agency to access email
and web data handled by the world's largest Internet companies,
including Google, Yahoo and Facebook.
A spokeswoman for Britain's GCHQ (Government Communication
Headquarters) said on Friday that it did not comment on
intelligence matters. The NSA could not be immediately reached
A European security source said that mobile devices were
widely used by terrorist groups and that intelligence agencies'
attempts to access the communications were justified if they
were "authorised, necessary and proportionate." The source did
not confirm or deny that the documents were from GCHQ.
The source also said Western agencies would sometimes hold
on to data over time in order to decrypt the communications of
specific intelligence targets.
The source added that wireless networks in Iran, Afghanistan
and Yemen were viewed as having significance intelligence value.
These were identified by the Intercept as countries where
Britain's GCHQ intercepted encryption keys used by local
wireless network providers.
The new allegations could boost efforts by major technology
firms such as Apple Inc and Google to make strong
encryption methods standard in communications devices they sell,
moves attacked by some politicians and security officials.
Leaders including U.S. President Barack Obama and British
Prime Minister David Cameron have expressed concern that turning
such encryption into a mass-market feature could prevent
governments from tracking militants planning attacks.
Gemalto makes SIM (Subscriber Identity Module) cards for
phones and tablets as well as "chip and pin" bank cards and
biometric passports. It produces around 2 billion SIM cards a
year and counts Verizon, AT&T Inc and Vodafone
among hundreds of wireless network provider customers.
The European security source said that an assertion by The
Intercept that GCHQ had taken control of Gemalto's internal
network was speculative and not supported by documentation
published by the website.
The Intercept, published by First Look Media, was founded by
the journalists who first interviewed Snowden and made headlines
around the world with reports on U.S. electronic surveillance
It published what it said was a secret GCHQ document that
said its staff implanted software to monitor Gemalto's entire
network, giving them access to SIM card encryption keys. The
report suggested this gave GCHQ, with the backing of the NSA,
unlimited access to phone communications using Gemalto SIMs.
French bank Mirabaud said in a research report the attacks
appeared to be limited to 2010 and 2011 and were aimed only at
older 2G phones widely used in emerging markets, rather than
modern smartphones. It did not name the source of these
Some analysts argued that if a highly security-conscious
company like Gemalto is vulnerable, then all of its competitors
are as well.
Gemalto competes with several European and Chinese SIM card
suppliers. A spokesman for one major rival, Giesecke & Devrien
of Germany, told Reuters: "We have no signs that something like
that happened to us. We always do everything to protect our
But while security experts have long believed spy agencies
in many countries have the ability to crack the complex
mathematical codes used to encrypt most modern communications,
such methods remain costly, limiting their usefulness to
targeted hijacking of individual communications.
(Additional reporting by Abhirup Roy and Supantha Mukherjee in
Bengaluru; Leigh Thomas, Cyril Altmeyer, Blaise Robinson and
Nicholas Vinocur in Paris, Mark Hosenball in Washington,; Jens
Hack in Munich; and Harro ten Wolde in Frankfurt; Editing by
Andrew Callus and Pravin Char)