What is the threat of attacks against the secret key (K) in LTE, and how is it mitigated?
Attackers may steal the pre-shared key K from the carrier's HSS/AuC or obtain it from the UICC manufacturer — card manufacturers may keep a database of these keys on their internal network. Mitigations: physical security at the UICC manufacturer and network security at the carrier.
* Two theft points for the root key K — the SIM factory's key database and the carrier's HSS/AuC; with K, no cipher needs breaking. *
The threat:
- The secret key K is the root of all LTE air-interface security (it's the LTE successor of GSM's Ki)
- Attackers may be able to steal K from the carrier's HSS/AuC, or
- Obtain it from the UICC (SIM card) manufacturer — because card manufacturers may keep a database of these keys within their internal network (the keys are written into the cards during production)
The mitigations:
- Physical security measures from the UICC manufacturer
- Network security measures from the carrier
The real-world echo — the Gemalto/"Great SIM Heist": this exact threat materialized when intelligence agencies were reported to have stolen SIM encryption keys from a major card manufacturer's network. If you steal the key database, you don't need to break any cipher — you can decrypt traffic and clone SIMs at will.
The architectural lesson: the strongest crypto is irrelevant if the key is copied at the factory or sitting in a breachable database. The supply chain of the key is part of the attack surface.
Go deeper:
The Great SIM Heist — How Spies Stole the Keys to the Encryption Castle (The Intercept, 2015) — the primary Snowden-document investigation: NSA/GCHQ harvested the per-card keys from Gemalto's network, exactly the "steal K from the manufacturer's database" threat made real.
Gemalto (Wikipedia) — the 2015 SIM key theft — encyclopedic summary of the operation and the manufacturer; kept for context and the image carousel.