UK and US hacked mobile SIM card

US and UK intelligence agencies reportedly hacked into a major manufacturer of SIM cards to gain access to large amounts of data
worldwide.

The Intercept says the revelations came from US intelligence contractor turned whistleblower
Edward Snowden.

The Intercept alleges that the hack organised by Britain's GCHQ and the US National Security Agency (NSA) began in 2010, and was organised by operatives in the "Mobile Handset
Exploitation Team". Neither agency has commented directly on the allegations.

However GCHQ reiterated that all its activities were "carried out in accordance with a strict legal and policy framework which ensures that
our activities are authorised, necessary and proportionate".

Intercept said GCHQ targeted the company's engineers to gain information that gave them access to the company's networks.

Encryption keys were then reportedly stolen that allow the data that passes between mobile phones and cell towers and unscramble calls,
texts or emails to be decoded.

A GCHQ spokeswoman said they do not comment on intelligence matters.

But she said: "Furthermore, all of GCHQ's work is carried out in accordance with a strict legal
and policy framework, which ensures that our activities are authorised, necessary and
proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the parliamentary Intelligence and Security Committee.

Gemalto, the company which was allegedly targeted, manufactures an estimated 30% of all Sim cards worldwide. And crucially, it creates
the security key for each item. All security agencies needed to do was obtain (by hacking, allegedly) the list of security keys from the firm.

Then, as security expert Karsten Nohl says, they could snoop on phone calls with a "few hundred dollars worth of radio equipment in
strategically important locations".
This contrasts with security procedures used, for example, for chips in passports. Many are
are also manufactured by Gemalto.

These are delivered to the relevant authorities as a blank chip, and the Passport Office - not the company - creates the security key.

Many of Edward Snowden's allegations have shone a light on complex surveillance tactics
by the NSA. But perhaps this latest leak has done more to highlight how a single company is in control of millions of people's private data.