What do you do when someone tells you “no”?
Do you accept it and move on? Continue your attempts at persuasion? Or ignore the answer and do what you want regardless?
If you’re the governments of the U.S. and U.K., you make the third choice. You do what you want and congratulate yourself on a job well done.
That’s the message the rest of the world will take away from the news that the National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ), stole the master encryption keys for most of the world’s cellphones — including yours. They wanted them, so they just took them, violating numerous laws and treaties in the process.
Washington and London now have some explaining to do, especially to the Netherlands, where the theft took place.
But you have some work to do as well … to beat these privacy thieves at their own dirty game.
Stealing the Master Key
The privacy of your mobile communications — voice calls, text messages and Internet access — depends on an encrypted connection between your cellphone and your wireless carrier’s network. This encryption uses keys stored on the SIM, a tiny chip inserted into your phone.
In April 2011, the NSA and GCHQ created a Mobile Handset Exploitation Team (MHET) to steal the keys that would unlock this encryption. The MHET targeted a Dutch company called Gemalto that makes these chips. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. By hacking the email and Facebook accounts of employees at Gemalto and its clients, the MHET was able to steal Gemalto’s master encryption keys. They even created a program that would steal the keys automatically.
With these stolen keys, the NSA and GCHQ can monitor mobile communications without warrants, wiretaps or approval from telecom companies and governments, leaving no trace of their actions. They can just vacuum up cellular signals out of the air and listen to any or all of the communications they intercept.
Key Weakness: Single-Tier Encryption
The reason this NSA/GCHQ hack works is because your cell communications are encrypted by your wireless carrier using keys that they possess. With the keys, anyone can listen in to your calls, texts or emails. You have no control over the matter — unless you take steps to protect yourself.
As numerous observers have noted, the implications of wholesale compromise of master cell encryption keys go well beyond the NSA and GCHQ. After all, if they can steal these keys, so can other countries. Naturally, criminals and fraudsters would love to get their hands on them too: Imagine how much money you could make if you had access to cell calls made around Wall Street.
But the Gemalto hack may be about much more than cellphones. The company is a global leader in digital security, producing banking cards, mobile payment systems, building security devices and identification cards. Among its clients are Visa, MasterCard, American Express, JP Morgan Chase and Barclays. It also provides chips for luxury cars, including those made by Audi and BMW.
Oh, and one other client: the U.S. government, which uses Gemalto technology in its electronic passports.
Assume the Worst and Prepare
You should assume that your cellphone is insecure and that someone is listening in on your communications. Time will tell whether the same is true of your credit cards, passport and car as well.
But there is a simple way to prevent government spying on your cellular communications. Rather than rely on your cellphone company’s SIM card-based security, use secure communications software that encrypts your calls, texts and emails with a private key that only you and your contacts know.
You can encrypt your voice calls by using encrypted Voice over Internet Protocol (VoIP) apps such as Signal, RedPhone and Silent Phone. These work by turning your calls into encrypted Internet data, bypassing cell networks entirely. Apps such as TextSecure and Silent Text similarly encrypt your text messages. Email services such as Gmail are already encrypted, but you can double down by adopting a specialist service such as Proton Mail.
If you use these encryption apps, governments may still be able to intercept your communications, but listening to them would be impossible without targeting you specifically with time-consuming high-tech codebreaking efforts. And even then they would probably fail.
So what are you waiting for? Secure your cell communications quickly and simply. I have.
Offshore and Asset Protection Editor