SIM card makers hacked by NSA and GCHQ leaving cell networks wide open

L33tdawg: On a somewhat related note, Markus Vervier will be talking about an attack that enables active cloning of mobile identities at #HITB2015AMS at the end of May... He'll be showing how he managed to patch baseband firmware on an Android device to enable a virtual SIM card. 

In a new report on some of the confidential documents leaked by former NSA contractor Edward Snowden, The Intercept wrote that operatives from both the National Security Administration (NSA) and the British Government Communications Headquarters (GCHQ) joined forces in April 2010 to crack mobile phone encryption. The Mobile Handset Exploitation Team (MHET) succeeded in stealing untold numbers of encryption keys from SIM card makers and mobile networks, specifically Dutch SIM card maker Gemalto, one of the largest SIM manufacturers in the world. Gemalto produces 2 billion SIM cards a year, which are used all over the world.

Although the SIM card in a cell phone was originally used to verify billing to mobile phone users, today a SIM also stores the encryption keys that protect a user's voice, text, and data-based communications and make them difficult for spies to listen in on. The mobile carrier holds the corresponding key that allows the phone to connect to the mobile carrier's network. Each SIM card is manufactured with an encryption key (called a “Ki”) that is physically burned into the chip. When you go to use the phone, it “conducts a secret 'handshake' that validates that the Ki on the SIM matches the Ki held by the mobile company,” The Intercept explains. “Once that happens, the communications between the phone and the network are encrypted.”