Under-fire SIM card giant Gemalto has claimed that although it was “probably” hacked by the NSA and GCHQ, the spy agencies did not capture SIM encryption keys on a grand scale, as alleged last week.
A story by The Intercept citing new Edward Snowden documents claimed that the intelligence agencies infiltrated internal networks at the firm, which is said to produce two billion SIMs each year, and gained access to countless encryption keys.
In doing so, they were able to secretly monitor mobile phone communications around the globe without the need to get approval from the relevant operators or governments, the report claimed.
However, Netherlands-based Gemalto yesterday released a statement claiming that after a “thorough investigation” it concluded that intrusions were only made into its office networks, on which SIM encryption keys and customer data is not stored.
It had the following:
“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”
However, these efforts largely failed, too, thanks to a “highly secure exchange process” put in place by the firm “well before” 2010, Gemalto added, claiming that “only rare exceptions to this scheme could have led to theft.”
Even on the rare occasions where keys were stolen, the spy agencies would only have been able to monitor 2G communications as 3G and 4G networks “aren’t vulnerable to this type of attack,” it said.
The SIM card giant even picked through the ‘leaked’ document in question which seems to indicate the large scale hacking of Gemalto, highlighting that it states “only 2% of the exchanges of encryption keys (38/1719) came from SIM suppliers.”
It added:
“Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen.
A list claiming to represent the locations of our personalization centers shows SIM card personalization centers in Japan, Colombia and Italy. However, we did not operate personalization centers in these countries at the time.”
However, security experts weren’t 100% convinced by Gemalto’s statement.
Security consultant and special adviser to Europol, Brian Honan, argued that other major security incidents have taken months to investigate, rather than the handful of days it took Gemalto.
“Given the nature of the alleged attack and the capability of the alleged attackers, it is surprising to me that Gemalto can confidently claim they have fully investigated the incident and found no issues,” he told Infosecurity by email.
“For example, Sony Pictures Entertainment is still investigating the initial attack vector in last year's attack. With this in mind I would hope that Gemalto will continue to investigate their systems to get further assurances they were not breached. Indeed, other companies similar to Gemalto should also be getting their own assurances.”