US and British spies 'hacked world's largest sim card maker'

US and British spies hacked into the world's largest sim card manufacturer to gain access to billions of mobile phone voice calls and data around the world, according to the latest leak from National Security Agency (NSA) whistleblower Edward Snowden.

A special unit, including operatives from both the NSA and its British equivalent GCHQ, hacked into Gemalto, a Netherlands sim card manufacturer. The firm produces two billion sim cards a year for AT&T, T-Mobile, Verizon, Sprint and around 450 wireless network providers globally.

The unit – called the Mobile Handset Exploitation Team (MHET) – was set up in 2010 to exploit vulnerabilities in mobile phones, according to documents leaked to The Intercept.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

The team reportedly targeted the private email and Facebook accounts of specific Gemalto employees and planted malware (malicious software) on several of the company's computers, gaining access to "their entire network".

With this access, the spy agencies were able to steal encryption keys, used to protect the privacy of mobile phone communications, and secretly monitor voice calls and data without the knowledge of telecom companies and foreign governments.

The hacked keys "have the functional equivalent of our house keys," Mark Rumold, staff attorney at the Electronic Frontier Foundation, told The Guardian. "That has serious implications for privacy not just here in the US but internationally."

Rumold said there was "no doubt" that the NSA and GCHQ had violated Dutch law and suggested they had also broken the law in "many other territories" when they used the hacked keys.

Gemalto said it had been totally oblivious to the penetration of its systems and was "disturbed" by what had happened.

Paul Beverly, executive vice president at Gemalto, told The Intercept: "The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again."

NSA declined to comment, while GCHQ said the UK's interception regime was "entirely compatible with the European Convention on Human Rights".