A report by the Intercept claims that American and British spies jointly hacked into Gemalto to get hold of encryption keys in order to monitor mobile phones around the world. Here to comment on this news are information security experts from Tripwire: Craig Young, senior security researcher and Ken Westin, senior security analyst.
Free eBook: Modern Retail Security Risk – Get your copy now.
Craig Young, senior security researcher, Tripwire
“Knowledge of security keys used in SIM cards can have wide reaching consequences. As prior research has described, SIM cards are much like little computers with the ability to run applications at a lower level than the phone’s operating system (i.e. Android or iOS). Information obtained by hacking the SIM manufacturer could not only be used to decrypt protected phone communication but it could also likely be used to deploy malicious Java applets to targeted SIM cards by way of special SMS messages or signals from fake cell towers (referred to as sting rays in law enforcement terms). This also potentially opens up new techniques for sophisticated MiTM attacks against cellular data connections authenticated by the compromised SIM cards.”
Ken Westin, senior security analyst with Tripwire
“The greatest security threat isn’t wearing a hoodie armed with a laptop and Metasploit, they wear suits and are armed with secrecy and legal loopholes. When the Snowden documents revealed potentially wide scale surveillance and astonishing capabilities many wondered how it was possible, but they were thinking in terms of existing hacking tools and methodologies, not governments’ ability to subvert technology via the supply chain through collaboration with private industry, many times without the businesses being aware or doing so unwillingly. The real issue here is that this appears to be done illegally with little oversight or transparency. As governments pass laws to crack down on criminal hackers, we are learning that they in many respects are hypocrites, as such the law needs to provide protections both ways, to both protect citizens from criminal hackers, as well as our own governments.
This is critical not only to protect citizens, but also business, as a core component of business is trust. Mobile phone manufacturers, carriers all the way down to app developers require consumer trust in order to sell their products, as people need to know their communications are private. When the entire system is subverted it raises a lot of challenges for business moving forward. Mobile phone developers will need to take this latest revelation into account when they are building systems and will have to add additional layers of security into their systems to help reestablish that trust for their customers.”
About Tripwire, Inc.
Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com, get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.