If China or Russia had compromised every mobile phone, *then* would the authorities take it more seriously?

SIM cardThe latest leak from NSA whistleblower Edward Snowden suggests that the NSA and GCHQ joined forces to hack Gemalto, a company which manufactures billions of SIM cards every year, and stole encryption keys used to protect the privacy of communications around the world.

Scott Ludlam, a Greens member of the Australian Senate, had the chance last week to quiz Australian Secretary of Defence Dennis Richardson about about the recent hack revelations - which Gemalto itself has downplayed - and the response of the Australian Signals Directorate (ASD).

And Ludlam asks some very reasonable questions of the Australian spooks (most of which go unanswered).

For instance,

Are you able to identify whether these allegations are true?

What is your advice to Australian users of telecommunication services who may not want to use devices that are compromised by overseas intelligence agencies?

But one question Australian Secretary of Defence Dennis Richardson does appear keen to answer is whether they would be treating the implications of the reported Gemalto hack with greater urgency, if it were Chinese or Russian intelligence being blamed rather than the NSA and GCHQ.

Watch this video to see what he had to say, and the questions he didn't wish to immediately respond to.

Some of the conversation is truly gobsmacking:

Ludlam: Do you use an encrypted phone, Mr. Richardson?

Richardson: No, I don't.

Ludlam: Right. Okay. Do you use a commercial... I'm not asking you to name names... but do you use a commercial telecommunications provider?

Richardson: Yeah, yeah, yes.

Ludlam: So there might be a SIM card in your phone or mind. Does this alarm you at all?

Richardson: No.

Ludlam: No?

Richardson: No.

Ludlam: Why is that?

Richardson: Well, because I don't particularly deal with people who... if anyone wants to listen to my telephone calls they can. I'd be surprised if they do, but I don't particularly have conversations which I'm particularly worried about.

[Laughter]

Ludlam: So it's okay if foreign spooks have hacked every mobile handset in the country because you don't have anything in particular...

Richardson: It's possible some might try to.

Ludlam: It's possible some just have.

Richardson: [Shrugging] Well, it's possible.

Amazing, eh?

Initially, and I found this astonishing, the ASD representatives appear to claim that they have no knowledge whatsoever of the Gemalto hack, despite it being headline news around the world.

During the course of the conversation, it appears that they may have been more aware of the story than they had previously implied. Which I suppose is a relief.

But none of us should worry, apparently, because the heads of Australia's signals intelligence division, would never consider having a sensitive conversation on a mobile phone...

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

2 Responses

  1. Philip Le Riche

    March 2, 2015 at 11:03 pm #

    GCHQ and the responsible ministers are always very keen to stress the legal underpinning of everything the security services do, and claim that the checks and balances are least as strong as in any country in the world. That may be true, though cynics would doubtless retort that it wasn't saying much.

    True or not, if I were to steal some data, any court in the UK would regard it as a clear case of theft and a breach of the Computer Misuse Act. I'm struggling to see the legal underpinning of the same action by GCHQ against Gemalto unless a warrant was issued by the Secretary of State under Section 3-(1) of the Security Service Act 1989. Was it?

    We have to accept that spying is what intelligence agencies do, but it seems to me that hacking a commercial company in a friendly European country just isn't cricket.

  2. furriephillips

    March 3, 2015 at 5:27 pm #

    You forgot to include the words "hilarious" and "cringeworthy" in the article teaser. I watched the video a few days ago and it was truly painful to view these duffers not exactly respond to the questions.

Leave a Reply