U.S. and British spies hacked into the world's biggest maker of phone SIM cards, allowing them to potentially monitor the calls, texts and emails of billions of mobile users around the world, an investigative news website reported.
The alleged hack on Gemalto, if confirmed, would expand the scope of known mass surveillance methods available to U.S. and British spy agencies to include not just email and web traffic, as previously revealed, but also mobile communications.
The Franco-Dutch company said on Friday it was investigating whether the U.S. National Security Agency (NSA) and Britain's GCHQ had hacked into its systems to steal encryption keys that could unlock the security settings on billions of mobile phones.
The report by The Intercept site, which cites documents provided by former NSA contractor Edward Snowden, could prove an embarrassment for the U.S. and British governments. It opens a fresh front in the dispute between civil liberties campaigners for privacy and intelligence services that say citizens face a grave threat of attack from militant groups like Islamic State.
It comes just weeks after a British tribunal ruled that GCHQ had acted unlawfully in accessing data on millions of people in Britain that had been collected by the NSA.
A spokesman for GCHQ (Government Communication Headquarters) said on Friday that it did not comment on intelligence matters. The NSA could not be immediately reached for comment.
The Intercept report said the hack was detailed in a secret 2010 GCHQ document and allowed the NSA and GCHQ to monitor a large portion of voice and data mobile communications around the world without permission from governments, telecom companies or users.
"We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques," said Gemalto, whose shares sank by as much as 10 per cent in early trading on Friday, following the report.
The report follows revelations from Snowden in 2013 of the NSA's Prism program, which allowed the agency to access email and web data handled by the world's largest internet companies, including Google, Yahoo and Facebook.
The new allegations could boost efforts by major technology firms such as Apple and Google to make strong encryption methods standard in communications devices they sell, moves attacked by some politicians and security officials.
Leaders including U.S. President Barack Obama and British Prime Minister David Cameron have expressed concern that turning such encryption into a mass-market feature could prevent governments from tracking militants planning attacks.
Gemalto makes SIM (subscriber identity module) cards for phones and tablets as well as "chip and PIN" bank cards and biometric passports. It produces around two billion SIM cards a year and counts Verizon, AT&T and Vodafone among hundreds of wireless network provider customers.
In Canada, Bell confirmed that Gemalto is one of its SIM card suppliers.
"We have been in touch with them and look forward to the results of their internal investigation," said Bell spokeswoman Marie-Eve Francoeur in an email to CBC News.
As of 4:30 p.m. ET, Rogers and Telus had not yet responded to a CBC request asking whether they use Gemalto SIM cards.
The Intercept, published by First Look Media, was founded by the journalists who first interviewed Snowden and made headlines around the world with reports on U.S. electronic surveillance programs.
It published what it said was a secret GCHQ document that said its staff implanted software to monitor Gemalto's entire network, giving them access to SIM card encryption keys. The report suggested this gave GCHQ, with the backing of the NSA, unlimited access to phone communications using Gemalto SIMs.
French bank Mirabaud said in a research report the attacks appeared to be limited to 2010 and 2011 and were aimed only at older 2G phones widely used in emerging markets, rather than modern smartphones. It did not name the source of these assertions.
Competitors may be vulnerable too
Some analysts argued that if a highly security-conscious company like Gemalto is vulnerable, then all of its competitors are as well.
Gemalto competes with several European and Chinese SIM card suppliers. A spokesman for one major rival, Giesecke & Devrien of Germany, told Reuters: "We have no signs that something like that happened to us. We always do everything to protect our customers' data."
But while security experts have long believed spy agencies in many countries have the ability to crack the complex mathematical codes used to encrypt most modern communications, such methods remain costly, limiting their usefulness to targeted hijacking of individual communications.