Gemalto says NSA/GCHQ hack "probably happened"

(Image Credit: iStockPhoto/domin_domin)

Last week, we reported that personnel from the US and UK's top spy agencies hacked into large SIM card manufacturer, Gemalto, in an attempt to gain encryption keys for accessing mobile devices around the globe. The firm has been investigating these claims, and can now confirm the attack "probably happened."

Gemalto believe the intrusions affected just their office networks, and no encryption keys will have been taken if this is the case. The company was in-fact aware of a sophisticated attack during the period that the attack was said to have occurred.

Another SIM card manufacturer has been breached which could have been with more success

Had the encryption keys been leaked, the spy agencies would be able to listen in on 2G-based phone conversations and/or install malware on devices using SIM cards issued by Gemalto. Considering the company produces two billion SIM cards each year around the world, it would make for quite an asset for the two surveillance agencies.

"We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations," Gemalto says.

3G/4G communications would be impervious to these attacks, which reduces its effectiveness and could be the reason why the NSA and GCHQ seemed to give-up on their pursuit. The intended targets, however, were countries where 2G is still most-used such as Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Serbia, Tajikistan and Yemen.

Gemalto believes that mobile operators are best employing added preventative measure to protect their customers: "Security is even higher for mobile operators who work with Gemalto to embed custom algorithms in their SIM cards. The variety and fragmentation of algorithmic technologies used by our customers increases the complexity and cost to deploy massive global surveillance systems."

The attack seems to have focused on Gemalto - which is not a surprise - but the company points out that some details in the document are not applicable to their services such as SIM card personalisation centres in Japan, Colombia, and Italy, which they did not have at the time of the attack. Another discrepancy is that Gemalto has not provided SIM cards to four of the twelve operators listed in the documents.

One of these operators is a Somalia-based carrier where 300,000 keys were said to be stolen. Either the documents are incorrect, or another SIM card manufacturer has been breached which could have been with more success than the attempt on Gemalto appears to have been.

Do you think SIM card encryption is secure enough? Let us know in the comments.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.

19 May 2015, 5:53 a.m.

What about Syria. Any security concern since 2G calls also dominates.