Title: CCNE Jan10-Mar10 Trial

Release Date: 2015-02-19

Description: These six slides from 2010 GCHQ presentation outline the results of a trial operation to acquire SIM encryption keys: see the Intercept article The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle, 19 February 2015.

Document: where-are-these-keys.pdf:
TOP SECRET STRAP 1

Where are these keys?

Keys live on the SIM card in the phone

They also need to be present on the mobile
network; are kept carefully protected in the core
network



base

station

internet
core of mobile ◄— ► landline
network network

in

GCHQ

CCNE "We penetrate targets' defences.

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under
other UK information legislation. Refer disclosure requests to GCHQ on (non-sec) or email

©Crown Copyright. All rights reserved.ccne-successes-jan10-mar10-trial.pdf:
TOP SECRET STRAP 1

Successes

• No false positives

• Number of Kis found compares favourably to
manual results

• Collecting Ki for wider range of targets

• Some big finds

- Found 300’000 Ki for Somali provider

• IMSI/Ki/KiC/Kid/Kik

CCNE "We penetrate targets' defences."

GCHQ

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests to GCHQ on (non-sec) or email

©Crown Copyright. All rights reserved.imsis-identified-with-ki-data-for-network.pdf:
TOP SECRET STRAP 1

IMSIs Identified with Ki data for Network Providers

•— -Moera, Serbia
-NCVA ICELAND
IŒACL, INCtA
AWCC, AFGHANI STAN
— TDCA AF CHAN STAN
— SABAFN, 'rEMEN
- -w -WIN, YEMEN
- IRNCEL, IRAN
^ mm*“ - BABLN.T^ IKSTAN
• -TELES. SOMALIA

CCNE "We penetrate targets' defences."

GCHQ

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests to GCHQ on (non-sec) or email

©Crown Copyright. All rights reserved.ccne-stats-summaries-jan10-mar10-trial.pdf:
TOP SECRET STRAP 1

Stats / summaries

• Identify all email addresses found near Ki data

• Reference all original UDAQ items

• Show breakdown of Kis found by network

• Show breakdown of activity by network

Emails:

107 items
184
184
295

UDAQ Item Identifiers used:
# Kis UDAQ ID

@huawei.com
(Shuawei. com

(at rusted-logic. com

Unique IMSI and Ki data identified for networks:
Code # Occurrences

63701

41902

42004

41201

43235

42602

1

4

5
1

104

5

Globetel, Somalia
MTC, Kuwait
Zain_SA, Saudi_Arabia
AWCC, Afghanistan
MTN_IRANCELL, Iran
MTC_Vodaphone, Bahrain



IGCHQ

inis imormation is exempt irom disclosure under
other UK information legislation. Refer disclosure requests to GCHQ on

©Crown Copyright. All rights reserved.

(non-sec) or emailccne-email-harvesting-jan10-mar10-trial.pdf:
TOP SECRET STRAP 1

UDAQ item referenced from automated results

Hello , "

What is the decrypted value of tfiis K l?


wrote:
&gt", "Dear , "
&gt", "Yes after encrpytion i can find like this
&gt", "IMS I =&nbsp", "Kl:

, "still there is authentication problem", we experienced like this problem when IMSI&nbsp", "are

not match with correct Kl.
&gt", "
&gt",

"Subject: Re: OUTPUT FILE FOR 8 PCS SAMPLES-URGENT!!!

"Hello Mr^^B", "
&gt", "
&gr , "Just 1 thing to confirm", "since you say IMSI and Kl does not match but
&gt", "over here I have rechecked
and rechecked everything. I need to confirm
&gt", "with you what is the Klthat you get after decryption in your backend
&gt”, "system (after
loading output file). So for example", "
&gt", "
&gt",

Ml. IMSI:


&gt",

"2. Kl (randomly generated by us) - Clear value NOT encrypted :
&gt",

l
&gt",

"3. Kl (encrypted by transport key using DES CBC) :
&gt",

Kbr>&gt",

"
&gt", "So", "when&nbsp", "you load output file and then the back end system&nbsp", "decrypts", "
&gt", "is the value the same as above??

&gt" , "
&gt" , "Best Regards" , "
&gt" , "^^^^^■' br>&gt"

CCNE "We penetrate targets' defences."

GCHQ

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests to GCHQ on (non-sec) or email

©Crown Copyright. All rights reserved.ccne-email-addresses-jan10-mar10-trial.pdf:
TOP SECRET STRAP 1

Associated email addresses

@g mail.com

@huawei.com - high scoring

address

mail.com - high scoring
webmail address

-international gateway for
South African provider MTN

l@msn.com - an MSN address
associated with traffic

CCNE "We penetrate targets' defences.

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under

other UK information legislation. Refer disclosure requests to GCHQ on (non-sec) or email

©Crown Copyright. All rights reserved.

GCHQ







e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh