SIM Card Maker Acknowledges NSA, GCHQ Intrusion

Responding to a Snowden leak claiming that the US National Security Agency (NSA) and UK Government Communications Headquarters (GHCQ) had infiltrated its systems, Gemalto this week admitted that it had indeed been hacked. But the world’s biggest maker of SIM cards says its encryption keys were never stolen or compromised.

Last week, former NSA contractor Edward Snowden leaked news of the hack, stating that the NSA and GHCQ in 2010 had gained access to the “core mobile networks” at Gemalto and had gained access to the encryption keys the company uses in the SIM cards it manufacturers. Those encryption keys could allow a hacker to gain access to any voice or data communications performed on the phones and other digital device that employ Gemalto’s SIM cards.

If true, this could be the biggest known privacy violation in history. Gemalto makes over 2 billion SIM cards a year and sells them to over 450 mobile carriers around the world, including in China, the United States and Western Europe.

After pledging to fully investigate the incident, Gemalto this week confirmed at least part of the leak.

“The operation very probably happened,” Gemalto CEO Olivier Piou said Tuesday. “It’s difficult to prove our conclusions legally, so we’re not going to take legal action. We are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”

Gemalto says it found evidence of a series of sophisticated attacks against it in 2010 and 2011. But the security agencies were only able to breach its “office networks,” an intrusion that “could not have resulted in a massive theft of SIM encryption keys.” In these attacks, hackers used spoofed emails to Gemalto clients to install software for intercept communications. But the office network the hackers breached is separate from the networks Gemalto uses for SIM encryption codes and customer data.

According to Gemalto, there were also some number of attempts to intercept its SIM card encryption keys while they were in transit to mobile carriers. “It’s difficult to say how many,” Mr. Piou said. “Maybe a dozen, maybe 100. We know it’s very few.”

By the time of these attacks, Gemalto had instituted a secure transfer system with its wireless carrier customers “and only rare exceptions to this scheme could have led to theft.” And if theft did occur—i.e. its SIM cards were compromised by the security agencies—it only impacted SIMs used by older phone models that run on 2G networks. “None of our [3G and 4G SIM] products were impacted by this attack,” Gemalto says, noting that the process they use for newer chips doesn’t require it to send wireless carriers any encryption keys. Therefore, they couldn’t have been intercepted.

“The data which are exchanged between the SIM manufacturers and the telcos, when it was 2G, was indeed the [encryption] keys,” Gemalto senior vice president Serge Barbe said. “When it comes to 3G and 4G, they are no longer the encryption keys.”

The firm did leave open the possibility that there were infiltrations it could not find, and it’s hard to disprove that an attack you can’t detect did in fact happen. And while it didn’t name the companies, it admitted that some of its wireless carrier customers don’t use the most up-to-date security technologies, so it’s possible that their encryption keys were indeed compromised.

“The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator,” a Gemalto statement notes. “Gemalto will continue to monitor its networks and improve its processes. We do not plan to communicate further on this matter unless a significant development occurs.”