The world was shocked by revelations from Edward Snowden recently that U.S. and British spies hacked SIM card maker Gelmato to gain access to billions of phones.
The encryption keys on SIM cards are supposed to protect us, but there are further precautions that can be taken to keep the National Security Agency and other hackers at bay.
The solution is to use temporary encryption keys for each phone conversation, keys that expire at the end of the session like the self-destructing messages from Mission: Impossible. Both parties must have the encryption keys in advance, so the system is only suitable for closed-group communications between companies or governments.
The NSA and GCHQ, the Government Communications Headquarters British intelligence and security agency, accessed phones around the world by hacking into Gemalto's servers and stealing the encryption codes that were burned onto the SIM cards when they were manufactured. The mobile network providers also had these encryption keys to identify and communicate with their customers. The big difference with end-to-end encryption is that the company providing the encryption software doesn't have those keys on their servers. Only the endpoint devices hold the cryptographic keys, and the company's server acts as a messenger, passing along data that it can't itself decipher.
The sender of the message must have a public key which you share with anyone wanting to communicate with you, but to read a message a separate private key is needed, one which never leaves the receiver's device. Think of it like a lock box, where many people have a copy of the key which allows them to put messages into the box but only you have the key to open the box and take messages out.
Several companies around the world provide this type of end-to-end closed encryption, including Voltage Security and Switzerland-based Qnective. Qnective's Qtalk Defense (PDF) is an application that is hosted on its customers premises and is used by police forces, ministries and other governmental entities worldwide. But this type of secure communication is also available to individuals.
In November 2014 mobile messaging service WhatsApp announced that it was partnering with security experts Open Whisper Systems to add end-to-end encryption to its mobile messaging system that is used by millions around the world. It uses the TextSecure protocol ,which creates a new, temporary key code for each message like any other end-to-end encryption technology.
This feature is available for individual text messages on the Android WhatsApp client and is due to be rolled out for group and multimedia messages on both Android and iOS. Apple uses a form of the technology on its iMessage App, but experts have highlighted a flaw that might allow the system to be hacked. Google also is working on an end-to-end email encryption system for Chrome.
Gemalto claimed earlier that the security breach was not as serious as first feared, but the scandal has piqued the public's interest in SIM card encryption so you can bet that people are going to be looking for services that can provide robust end-to-end encryption.
Photo: Ervins Strauhmanis | Flickr