What you need to know about the international SIM card hack
Gemalto, a Dutch company provides a large amount of the worlds' encryption keys for SIM cards and cellular phone networks. Essentially, what this means is your phone's SIM card has a unique encryption key and your phone's provider – Vodafone, Telstra or Optus for example – has the opposing encryption key. When your phone connects to the network, the network knows the phone belongs to you, marrying your account with the network for billing purposes. This encryption mechanism exists predominantly for this reason: to let the network know that you're you. This was the reason this system was first setup, it wasn't setup to provide privacy to the person making calls.
The issue is that this Dutch company has been "hacked" by British and American spy agencies. This happened quite some time ago, between 2010 and 2011, and came out as part of Edward Snowden's continuous release of confidential information. The leak claims these breaches have been going on for a number of years now, on phone networks all over the world.
When you look into how these breaches happen, there are allegations that Gemalto was being somewhat lax with the distribution and delivery of these keys, sometimes delivering these through less secure protocols such as FTP and email. The leaks also say that the spy agencies responsible were quite focused, they were scouring Gemalto's engineers' Facebook pages for birthdates, pet names – anything that could be useful in terms of gaining access to their corporate network and email accounts.
Telstra, Vodafone and Optus have all confirmed that they use encryption keys provide by Gemalto, so we can only assume that people in Australia could be affected. When we talk about being affected, we should remember that this type of network security is flimsy at best; as aforementioned, it was never designed to provide users with privacy. The encryption system was put in place a long time ago and it hasn't changed all that much since the early days of digital cellular technology.
If someone had the encryption key to my phone, could they listen into my phone and my messages? The answer is yes. While this is already feasible through wiretapping and the interception act, there is the potential for anyone to listen in if the allegations about Gemalto's lax security are true.
At the same time, actually listening in isn't easy. You have to fool the target's phone into thinking you've got a legitimate bass station belonging to the network provider in question. You have to put in a dummy base station, or a "StingRay" as they are called, near the person making the call. On top of this, the signal has to be strong enough for the target phone to connect to the StingRay, rather than defaulting to the genuine network. Obviously, you also have to route the call through back to the legitimate network, otherwise the target will probably realise something unusual is going on. It's not all that easy, it's not the kind of thing your basement-dwelling Russian hacker could do from the other side of the world.
The other question is how do you get around this? How do you protect yourself if your SIM card's encryption key is out there? Requesting a new SIM card from your telco is one possible option, although Australia's major telcos are yet to commence any formal replacement programs. You can also use communication platforms use as iMessage, Skype, Viber and WhatsApp that use their own encryption standards separate to that of the SIM card.
So should Australians be rushing off to get a new SIM card? I don't think so. With all the effort that someone has to go to actually listen into a phone call via this method, the threat isn't actually huge. And while it's difficult to verify, Gemalto has published a statement saying that it's SIM cards are secure. Besides, if someone wants to listen in to a conversation, there's much easier ways – especially if you're a government organisation.