Spy agencies’ hacking of mobile encryption keys is no surprise, says security expert

The alleged hacking of Sim maker Gemalto by UK and US spy agencies is not a huge surprise, according to a Europol adviser on cyber security

The alleged hacking of Sim maker Gemalto by UK and US spy agencies to steal mobile communication encryption keys is not a huge surprise, according to a Europol adviser on cyber security.

“If it is true, it is plausible that they would do this, but then I suspect every other significant communications interception intelligence agency will be doing the same,” said Alan Woodward, cyber security expert and visiting professor at Surrey University.

But Woodward believes the journalists who first reported the hacking have their own political agenda. “So one needs to calibrate the way it is written with that in mind,” he told Computer Weekly.

“There appears to be a desire in some quarters to conflate the ability to listen in on mobile calls with mass surveillance. I don't see that as the case.”

If it is true, the joint GCHQ and NSA operation simply shows intelligence organisations adapting to new technologies as they come along to make sure they do not “go blind”, said Woodward. 

If the encryption keys were stored on a computer network that the spy agencies hacked into, and Gemalto had no idea it had been hacked prior to the report by The Intercept, Woodward believes this suggests many others may have been into that same network for the same purpose.

“I'm afraid it's what secret intelligence services do, and personally I'd rather my country was doing it where there is at least some oversight of such operations,” he said.

But this again raises the whole issue of whether the UK government should be conducting such surveillance, even if it is under various rules.

“Just like policing, it has to be done by consent,” said Woodward. “And, if the population were to turn to the government and say 'you must dismantle this capability', then it should be clearly understood that this will have security implications.”

Woodward does not see this as a trade-off between privacy and security. He believes that although mass surveillance is undesirable, it is possible to have both privacy and security if there are appropriate rules and oversight.

“However, you do need the capability to target people if those people are of interest, and that is what we are seeing here," he said. “If anything, it is an obvious point of weakness that agencies will exploit, as the encryption used on Sim cards has no forward security, unlike SSL sessions, so collecting them has long-term benefits.”

Woodward said it is impossible to “un-invent” technologies, and encryption is a good example.

“Hence, if you want government agencies to still be capable of collecting communications and signals-based intelligence, you must expect them to conduct operations like this,” he added. “Personally, and obviously I'm biased as I'm British, I'd like the UK agencies to have these capabilities in case they are needed.”

Woodward also pointed out that the structure of encryption used on Sim cards was never really intended to keep conversations totally secure.

“It can keep casual eavesdroppers off the line, but it is more about authenticity than confidentiality,” he said. “If you want secrecy, you can have that by using something like Silent Circle [encryption services].”

Read more on Privacy and data protection