The NSA and Britain's GCHQ have compromised the bulk of the world's smartphones, hacking the world's most successful SIM card manufacturer and stealing untold millions of encryption keys, giving the agencies total access to, potentially, any given phone call and text message sent between two human beings on Earth, according to newly released top secret documents obtained by Edward Snowden and reported on by The Intercept.
The NSA has also apparently found a way of creating undetectable backdoors in consumer hard drives around the world, backdoors that can decrypt data and funnel it back to the agency. So, maybe it's time to take American intelligence agencies' complaints about the difficulty of breaking encryption a little less seriously.
In recent months, the NSA, Justice Department and FBI have said that the prevalence of encryption have created a "zone of lawlessness" and have said that law enforcement has "gone dark" in the attempt to track down potential terrorists and criminals. For the FBI, maybe that's still true, but the NSA has found a solution: Grab the encryption keys from the manufacturer, as they're being made.
The complaining from these agencies is a bit disingenuous.
"I would guess that they saw at least the potential for widespread consumer technologies they couldn't break," Matthew Green, a Johns Hopkins University applied cryptography researcher who was briefed by The Intercept before the scoop dropped, told me.
Instead of breaking encryption, US and British intelligence agencies created a "Mobile Handset Exploitation Team" to circumvent it, instead. According to Jeremy Scahill and Josh Begley of The Intercept, newly leaked top secret documents show that the NSA and GCHQ hacked Gemalto, a company that makes the vast majority of the planet's smartphone SIM cards.
The hack was used to steal SIM card encryption keys, which can then be used to decrypt cell phone calls and text messages, and perhaps much of the world's mobile data traffic. AT&T, T-Mobile, Verizon, Sprint, and 450 other wireless companies use Gemalto sim cards.
The news is perhaps the most shocking leak to come from Edward Snowden's documents in quite some time. Encryption keys can't be changed on the fly, meaning that closing this backdoor could take years and cost untold billions of dollars.
"It's pretty obvious that NSA has few scruples about breaking any technology and GCHQ has fewer, especially when it comes to human beings," Green told me. "GCHQ targets European tech workers and businesses, feeds the results back to NSA, which then puts them to use."
Green wrote about the possibility of such a backdoor in May of 2013, soon after the initial Snowden leaks. At the time, he wrote that the NSA sucking up millions of encryption keys would be a logical thing for the agency to go after. With the keys, he wrote, "it seems unlikely that the NSA would have to 'break' any crypto at all."
"If I can record an encrypted call, and later obtain the [encryption key] for that phone, then I can still reliably decrypt the whole communication—even months or years later," he wrote. "To the truly paranoid: stop talking on cellphones."
Green told me that, as a result of this specific hack, the NSA likely wouldn't be able to decrypt some newer, third-party, software-based encryption. If you use WhatsApp or iMessage, your communications are still, in theory, safe.
So the NSA can decrypt data from your hard drive, without you knowing it. It can decrypt your text messages and calls, without you knowing it. So, I asked Green, point blank: It might be time for US intelligence agencies to shut the hell up about encryption, right?
"I agree," he said.