Our Thoughts on the Gemalto SIM Hack
Dear Privacy Enthusiasts,
Many of you have asked our thoughts about the recent news of the GHCQ/NSA hack on Gemalto, the major supplier of SIM cards to major carriers around the world. It’s a big deal because this was a state-sponsored attack on a Dutch corporation with manufacturing facilities in countries all over the world, and it allowed the attackers free and unfettered access to all the supposedly “encrypted” communications between GSM handsets and the networks to which they connect.
This is important because it allows anyone with some relatively available equipment to be able to capture, store, and review all voice and data content going to and from your phone, without needing a court order or the cooperation of the network operator.
We’ve always generally believed the encryption provided by SIM cards is flawed, for various reasons. So finding confirmation—even on such a large scale—is not really a surprise. The story here is central to our positioning in the market. Privacy requires the user to exercise choice and control. You can choose not to rely on assurances from 3rd parties that their decisions about your privacy are good enough. You can control what data is available to those 3rd parties in the first place. You just need the right tools to do it.
One of the core advantages of Blackphone is that it doesn’t use traditional GSM calls or SMS messages for its secure communications. Silent Phone and Silent Text look and feel like the dialer and messaging clients you’re used to, but under the covers they work completely differently. They use Peer To Peer (P2P) encryption, where the keys exist only between the two communicating parties, and what’s more, the keys are used only for the duration of one session. So even if your phone has a hacked SIM card on it, there is a complete additional layer of robust encryption in place protecting you from further scrutiny. This layered approach is essential to a robust security approach.
We understand that you’re expected to trust someone in this situation. Whether it’s us, or someone else, is less important than what tools you have available to you to verify their claims. So we encourage you to learn a bit about how these technologies work, how to find out which ones have been verified by independent 3rd parties, and what methods they’ve used to conduct their own testing. The Electronic Frontier Foundation has done a great job of tallying up secure messaging tools, and we received a perfect score.
In addition, our bug bounty program encourages researchers around the world to take their best shot at us. We know we’re not perfect and would never claim otherwise, but we are committed to the fastest response and turnaround when vulnerabilities arise.
Keep asking questions and making reasonable decisions about your choices, and your controls. It’s a hairy topic but we want our customers and partners to be as well-informed as possible.