French-based digital security company Gemalto manufactures around 2 billion SIM cards every year, and while it maintains that its SIM cards are secure, earlier this week it was claimed that the US’ National Security Agency (NSA) and the Britain’s Government Communications Headquarters (GCHQ) made off with encryption keys to pretty much every SIM card made.
While the details were made public in documents released by whistleblower Edward Snowden, Gemalto has refuted some of the claims – but significantly not all. It conceded that at least two attacks of interest did occur against its systems, but denies at length that encryption keys to SIM cards were stolen.
“The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened,” Gemalto explained in a press statement.
It said that as a security company, hacking attempts against it is an almost daily occurrence. While the majority of the attacks are detected and stopped before it gets to breach anything, some do manage to make it past the initial layer of protection.
“In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation,” it said.
One of the attacks involved a third party trying to gain access to the company’s office network, which it claims it detected and stopped. The second incident “involved fake emails sent to one of our mobile operator customers” and a number of “attempts to access the PCs of Gemalto employees.”
It described the two incidents are serious, but said that in no way was the integrity of the SIM card data, or any other data for that matter, compromised.
“No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”
However, Gemalto explained that instead of the NSA and GCHQ going after the SIM card information on Gemalto’s servers, it detected attempts to intercept the data that is transmitted between suppliers and mobile operators. The firm admits that while those transactions now “make use of highly secure exchange processes… in 2010 though, these data transmission methods were not universally used and certain operators and suppliers had opted not to use them.”
In particular, Gemalto points out an incident where an attempt to intercept data between it and a Pakistani network was foiled by such techniques.
So keys could have been stolen en route between Gemalto and its customers, in other words. If that is the case, however, the firm says that there are several possible outcomes. The first is that older SIM cards based on 2G technology could certainly have been compromised en masse. It does say, however, that in the majority of 3G and 4G networks it supplies, there’s an extra layer of encryption proprietary to the network operator, which would still present spooks with an insurmountable obstacle. However, while the recommends its customers implement this extra level of security not all do – which would leave those networks open to attack.
Gemalto concluded by voicing its distress in the fact that if government agencies work together, as in the case with the NSA and GCHQ, they can intrude on networks with minimal recourse.
“We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”
Even so, the firm adds, many of the details in the leaked documents were wrong, citing customers and countries in which it has never done business, including Somalia.[Image – CC by 2.0/MIKI Yoshihito]