SIM card maker Gemalto claims to be a world leader in digital security. It manufacturers billions of SIM cards for hundreds of wireless carriers around the world. So when documents leaked by Edward Snowden revealed that both the NSA and the UK’s GCHQ had hacked the largest SIM card manufacturer in the world and the company hadn’t even noticed, it made global headlines.
What the NSA and GCHQ reportedly stole is even more worrying. The Intercept, which obtained the secret documents from Edward Snowden directly, explained that spies from the two agencies worked together to obtain the encryption keys protecting cellphone communications and the NSA and GCHQ could use the keys to spy on the communications of millions.
All of this was revealed just six days ago. At the time, a Gemalto executive was quoted by The Intercept as saying he was “disturbed” and “quite concerned.” He added that the most important thing now was to figure out how it happened, the extent of the alleged breach, and the consequences it may have for Gemalto’s customers.
Less than a week later, Gemalto has released the findings of its probe into the issue. In the press statement detailing this “thorough investigation,” Gemalto admits that “an operation by NSA and GCHQ probably happened.” However, the company says that the breach could not have resulted in a massive theft of SIM encryption keys because the attack in question only breached Gemalto’s office networks.
“The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally,” Gemalto explained. “By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.”
Gemalto goes on to say that even if the NSA/GCHQ spies did manage to obtain encryption keys, they’d only be able to access 2G networks because 3G and 4G networks have additional encryption.
“If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology […],” the company said in its statement. “This known weakness in the original 2G standards was removed with the introduction of proprietary algorithms […] The security level was further increased with the arrival of 3G and 4G technologies which have additional encryption.”
Gemalto also explains that several of the carriers listed in the document are not actually Gemalto customers, so it’s impossible that the stolen encryption keys were obtained via a breach of its network. The company uses this and other information (such as inaccurate locations of personalization centres) to conclude that while it may have been a target of choice, the NSA and GCHQ must also have targeted numerous parties beyond Gemalto. So, what about that attack that “probably happened”? The one mentioned right at the beginning of its statement?
Gemalto says an examination of attacks that took place between 2010 and 2011 revealed two events that it now believes to be the work of NSA/GCHQ spies. These attacks took place between June and July 2010. The first saw an attacker try to spy on the network Gemalto staff use to communicate with each other and the outside world. The second involved an email sent to mobile operators purporting to be from a Germalto email address and containing malicious code hidden within an attachment. Both attacks were addressed by Gemalto’s security team at the time.
Though Gemalto describes these attacks as “serious” and “sophisticated,” the details of these incidents have left some people skeptical. Motherboard cites several experts that express doubts as to whether agencies like the NSA and GCHQ would employ such tactics or if they’d even leave traces of the attempts they did make.
The power and resources these agencies hold is even referenced in Gemalto’s report as a qualifying statement when highlighting the company’s security and auditing process. However, Gemalto, it seems, doesn’t believe any of this power was used to carry out an undetected attack in 2010.
“Our security products, infrastructure and processes are designed to ensure the highest degree of security in a global, open, and commercial environment. These are regularly audited and certified by third-party private and public organizations,” the statement reads. “Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”
While many feel Gemalto’s report ‘downplays’ the breach, perhaps Gemalto’s biggest mistake is that the report concludes with a statement indicating that the company doesn’t plan to communicate on the matter any further. “Unless a significant development occurs,” Gemalto seems eager to put all of this nasty business to bed (Reuters reports that the company doesn’t even plan to sue for the breaches it did find) which doesn’t exactly breed good faith.