The Great SIM heist

 I was thinking of buying this lock with wireless access. With electronic access becoming the norm, secure encryption will be key.....

I was thinking of buying this lock with wireless access. With electronic access becoming the norm, secure encryption will be key.....

American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe

It's made all the major news sites but this is the original, well researched, source article on The Intercept.

As DaringFireball succinctly put it:

At this point we pretty much have to assume anything we do on a phone can be monitored.

 

The most important aspect is found near the bottom:

PRIVACY ADVOCATES and security experts say it would take billions of dollars, significant political pressure, and several years to fix the fundamental security flaws in the current mobile phone system that NSA, GCHQ and other intelligence agencies regularly exploit.
A current gaping hole in the protection of mobile communications is that cellphones and wireless network providers do not support the use of Perfect Forward Security (PFS), a form of encryption designed to limit the damage caused by theft or disclosure of encryption keys. PFS, which is now built into modern web browsers and used by sites like Google and Twitter, works by generating unique encryption keys for each communication or message, which are then discarded. Rather than using the same encryption key to protect years’ worth of data, as the permanent Kis on SIM cards can, a new key might be generated each minute, hour or day, and then promptly destroyed. Because cellphone communications do not utilize PFS, if an intelligence agency has been “passively” intercepting someone’s communications for a year and later acquires the permanent encryption key, it can go back and decrypt all of those communications. If mobile phone networks were using PFS, that would not be possible — even if the permanent keys were later stolen.

 

For the 'normal' individual, does it necessarily matter? Probably not, unless they're up to something nefarious. But it sows a seed of fear for people to use the Internet for one it's most amazing use-cases - world-wide communication. Having said that, considering 1.393 billion users now use Facebook (and that's only one of the major social networks out there, all of which are working to the same business model) which explicitly tracks you to sell your habits for advertising purposes and almost all the world using free email accounts that do the same, do people really care?

Neal McQuaid