Knowledge of security keys used in SIM cards can have wide reaching consequences. As prior research (https://media.defcon.org/DEF%20CON%2021/DEF%20CON%2021%20presentations/Karl%20Koscher%20and%20Eric%20Butler-Updated/DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards.pdf) has described, SIM cards are much like little computers with the ability to run applications at a lower level than the phone’s operating system (i.e. Android or iOS). Information obtained by hacking the SIM manufacturer could not only be used to decrypt protected phone communication but it could also likely be used to deploy malicious Java applets to targeted SIM cards by way of special SMS messages or signals from fake cell towers (referred to as sting rays in law enforcement terms). This also potentially opens up new techniques for sophisticated MiTM attacks against cellular data connections authenticated by the compromised SIM cards.--- Craig Young, CyberSecurity Researcher for Tripwire
The greatest security threat isn’t wearing a hoodie armed with a laptop and Metasploit, they wear suits and are armed with secrecy and legal loopholes. When the Snowden documents revealed potentially wide scale surveillance and astonishing capabilities many wondered how it was possible, but they were thinking in terms of existing hacking tools and methodologies, not governments’ ability to subvert technology via the supply chain through collaboration with private industry, many times without the businesses being aware or doing so unwillingly. The real issue here is that this appears to be done illegally with little oversight or transparency. As governments pass laws to crack down on criminal hackers, we are learning that they in many respects are hypocrites, as such the law needs to provide protections both ways, to both protect citizens from criminal hackers, as well as our own governments.
This is critical not only to protect citizens, but also business, as a core component of business is trust. Mobile phone manufacturers, carriers all the way down to app developers require consumer trust in order to sell their products, as people need to know their communications are private. When the entire system is subverted it raises a lot of challenges for business moving forward. Mobile phone developers will need to take this latest revelation into account when they are building systems and will have to add additional layers of security into their systems to help reestablish that trust for their customers. ---Ken Westin, Security Analyst fcor
“This type of spy activity predates the internet and will continue to happen no matter what the technology of the current day. All of this telephony capture is standard when it comes to spy agencies - the only thing that changes over the years are the techniques used.” – TK Keanini, Lancope