The world's biggest SIM card manufacturer, Gemalto, revealed yesterday to have been hacked by the NSA and GCHQ, has taken a $470m hit in its stock price.

Gemalto was caught unawares by the revelation that the US and UK intelligence agencies had compromised its systems, and stole potentially millions of SIM card keys used to encrypt phone calls around the world. Gemalto supplies SIMs to 450 networks on Earth, from AT&T to T-Mobile, and launched an investigation.

Speculation that the Dutch manufacturer may be forced to recall chips, incurring huge costs, caused its share price to fall eight per cent in early trading before recovering a little to four per cent down on closing.

Obtaining SIM card private keys allows intelligence agencies to decrypt intercepted calls without anyone knowing – not the users, the network operators nor the handset manufactures. Communications eavesdropped today, yesterday or five years ago can be decoded once a SIM's Ki key is obtained.

The company issued a statement today in which it promised to get to the bottom of the hack:

"Gemalto is especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday.

“We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques.”

Incensed

Security watchers praised the company for its prompt and forthright response. But privacy and communications experts are incensed by the latest revelations about GCHQ/NSA warrantless mass surveillance.

The World Wide Web Foundation has called for urgent steps to be taken to secure private calls and online communications.

Its chief exec Anne Jellema commented: "The news that US and UK spy agencies hacked the network of a Dutch company to steal encryption keys for billions of SIM cards is truly shocking.

"Possession of these keys would allow these agencies to access private calls, web browsing records and other online communications without any of the legal safeguards and processes in place to prevent abuses of power.”

Jellema argued that the surveillance would undermine trust in mobile payments, among other concerns.

“This is yet another worrying sign that these agencies think they are above the law. Apart from its blatant disregard for multiple human rights, this foolish move undermines the security and future of the global mobile payments industry."

She noted that any security weakness or backdoors into a cryptographic system might also be exploited by third-party cybercriminals and called for an investigation into GCHQ including "a full and frank disclosure as to why they hacked a private company, and one headquartered in an ally country."

Other security experts warned that other intelligence agencies may be up to the same tricks. Andrew Conway, research analyst at Cloudmark, said: “The ease with which the NSA and GCHQ were able to compromise all mobile communications is shocking. But there are other nation state actors with just as much determination and sophisticated hackers. In particular, China's Axiom Group has shown remarkable abilities to penetrate targets in the West.”

Not just the NSA?

He highlighted other worrying accounts of mobile companies being targeted: "Last year, mobile security company ESD revealed that they had detected a network of fake mobile phone towers intercepting communications near US military bases. It was assumed that whoever was responsible was just collecting metadata, because 3G and 4G communications are encrypted. Could it be that this was some foreign espionage agency with the ability to listen to US mobile phone calls? Or perhaps it was the NSA monitoring all civilian phone calls near military bases for possible terrorist activity? Regardless, it is clear that mobile communications have been badly compromised.”

A complete revamp of mobile comm security may eventually be required, Conway concluded.

"In the short term organizations requiring secure voice communications can consider deploying mobile devices with another layer of encryption, such as Blackphone or Cryptophone. In the long term, we need to do a better job of end-to-end encryption of all mobile and fixed line communications - which will include not relying on a single master key for all communications." ®