Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>>The document noted that many SIM card manufacturers transferred the encryption keys to wireless network providers “by email or FTP with simple encryption methods that can be broken … or occasionally with no encryption at all.”

If that's true, then NSA/GCHQ aren't the only people who could have grabbed a big pile of keys.



I can confirm this. In many cases these keys are exchanged over email with simple DES encryption and a key known to everybody in the business (pretty obvious key BTW). It really boils down to the security procedures in place between the SIM manufacturer and Mobile Network Operators.


I want to chime in to offer the counter. I used to work for Gemalto. I'm not exactly sure which keys you are talking about, but when I was there Gemalto's standard practice for the transfer of the keys mentioned in the article--individual SIM embedded keys--was to use AllynisConnect (which I only mention because it's easily found on Google) to facilitate the transfer of individual SIM keys to the customer. Obviously I'm not going to comment on the details of the cryptography involved, but it was much more considered than "simple encryption methods or no encryption at all."

Notably this mechanism would not protect the keys against an attacker who was inside Gemalto's or the customer's secure network, as seems to be the case here.

I'd be interested in knowing which keys specifically you are talking about.


In many cases you have specific procedures in place for security-conscious MNOs, but some of these procedures are such a pain that you inevitably end up finding workarounds to get the business going, e.g. email or USB tokens between various people who are not supposed to have those keys. Of course security officers and other officials are not aware of this. Dig through any sales mailbox and you will find CSV files (usually called output files) containing Ki encrypted with simple DES. I let you ask around to learn which DES key is most often used. Disclaimer: this is not specific to Gemalto.


Unfortunately that is very possible, and of course I can't speak for other companies. I will say that Gemalto has internal access protection for these and other information.

Of course, there are lots of things I didn't have visibility on and it is possible that I am overly optimistic.


Why does there have to be any key transfer at all? Why are they not generated in a more decentralized manner, at the manufacturer for example? Why are there servers for the NSA to hack where they can exfiltrate the keys in the first place?

Information minimization and avoiding single points of failures could have prevented this.


Because that's how you make money before thinking about security. Centralize and cash in.

My understanding is that the root of the SIM cards are always "owned" by the company sourcing them.


https://allynisconnect1.gemalto.com/jsp/tp_logon.jsp

Great - on the open net. No 2FA visible in the first peek.

Way to fuck your customers customers privacy.


WTF. That is sloppyness on our sholders. And you knew about that? Did you report it up on your line of command?


There are three things that happen when you report negligence "up the line of command".

1. You get ignored.

2. Your boss (or coworkers) make you want to quit.

3. You get fired.


I came here to comment on this too. This is astounding. I can't even. Moxie et al. are looking better and better with each week that goes by.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: