Skip to main content

Gemalto denies 'massive theft' of SIM card encryption keys by NSA and GCHQ [updated]

Lumia 625

Update: A new report in The Intercept claims that Gemalto is drastically downplaying the effects of this attack. In the report, several security researchers came to the conclusion that "the company made sweeping, overly-optimistic statements about the security and stability of Gemalto's networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees."

Original story: Digital security vendor Gemalto revealed its findings today following last week's report of an incursion by the NSA and the GCHQ into the vendor's SIM card encryption keys. While Gemalto noted that an operation by NSA and GCHQ "probably happened" in 2010 and 2011, the intrusion could not have resulted in a "massive theft" of SIM card encryption keys as the breach affected the company's office network and not its secure networks.

Gemalto mentioned that the SIM card encryption keys were not stored in the networks that were breached:

These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

Access to the keys would have allowed the US and UK government agencies the ability to listen in on phone conversations and install malware on any Gemalto-issued SIM card. With an annual production of 2 billion SIM cards and association with most major carriers in the world including US carriers such as AT&T, Sprint, and Verizon, any security breach at the vendor would have global consequences. Here's what Gemalto found in its investigation into the hack:

  • ​​​​The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened
  • The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys
  • The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft
  • In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack
  • None of our other products were impacted by this attack
  • The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator

According to Gemalto, even if the SIM card encryption keys were stolen, it would have resulted in the US and UK intelligence networks spying on 2G networks, making most users in developed countries prone to intrusion by covert agencies. However, The Intercept – the publication that first broke the news of the hack – noted that the target countries for the NSA and GCHQ's spying activities included Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Serbia,Tajikistan and Yemen, where 2G networks are still the norm. Gemalto stated that its secure data transfer system was in use at that time, which would have deterred hackers from gaining access to the encryption keys.

Head to the link below to read all of Gemalto's findings.

Source: Gemalto

37 Comments
  • sooo.. first there was no breach.. now there probably was and this is still not even one week of investigation. I guess they have no connection between the secure network and the office network. so no admin can manage both from one pc. else they are full of ****
  • Yeah, seems we heard this argument already, and yet again and again from any company that suffered a breech of security.
    ..
    Edit: We always hear of these hacks, whether it be banks or companies months later, of not years. Kind of hard to protect yourself so late in the game.
  • What else can they say? Their whole business model is built on trust - if that goes they go too. The security apparatus is given leeway to act in such a manner, for national security, and this theft is such that very little evidence would remain. Even if evidence is found, no one will be prosecuted. Ever. Especially as they would be based on different jurisdictions. When Merckle of Germany founded out her communications were tapped she had the interior ministry move to encrypted, non sim based secusmart technology - effectively heavily encrypted Emna to end voip. Good thing add using normal gsm was a dud. Bottom line - nothing is secure. Or sacred. Yet atrocities still occur. So if the capability is there then what? Incompetence? Lack of man power? Either way Gemalto isn't going to say the of for billion Sims need to be scratched. What about their competitors? They were attacked in a similar fashion. What do they say? Oh. Nothing so far. Right...
  • That's what I added on to my comment; we don't hear of these sorts of attacks until months, or in this case, years have gone by. No way to do anything ourselves.
    ...
    What sucks the most is that government agencies are allegedly up to this. Like you said: Nothing is sacred. If "we" need to listen in on these folks of terrorist orgs, it would seem we should have some mechanism in place to get the encryption keys of certain individuals without going to such great, embarrassing lengths. Maybe it is far more complex in today's disposable phone market, but it causes one wonder who the bad guys are. Lots of grey area here. Two, or more wrongs seem to make a right in someone's head.
  • The real issue is obtaining a warrant. Not all warrants are obtainable in secret - according to specific guidance, per situation. A warrant has a notification. People can see this so people may be armed. Instead of asking for permission, agencies have been directly fishing for Intel, bypassing the usual and known channels, in the hopes of acquiring actionable Intel. Whether that has actually happened is another debate. Either way, this sort of intrusive surveillance had been going on for years - anyone with an understanding of the infrastructures bolstering our communication and government apparatus knows this. Ask that has changed is the capability to hoover up Intel, and analyser it in pseudo real time (weeks not months etc). Sadly, with all this mechanical prowess, we're still rendered powerless to act, as the Intel is after the fact, when considering the French tragedies, and all the rest. Going back down the years.
  • I understand the warrant issue, that's why I say we should have something, some criteria in place so orgs don't have to embarrass themselves and the countries they represent. Akin to the "patriot act."
  • Good point. I live in the UK and here was passed anti terrorism legislation, after attacks in 2007, that allow for swift ordered, secret warrants and courts, and the legislation compels companies to divulge and collaborate vis a vie Intel. Gemalto being based in Denmark (did I get that right) means they are subject to their Danish laws and the laws of the EU. I'd the UK or America or Russia or China or anyone else wants anything they have to ask. Most likely they'll get the help they need, and remember that Interpol and europol exist, and eu members specifically do share Intel. It's just easier not to ask.
  • Gemalto is headquartered in Amsterdam, right around the corner, both being land bordered by Germany. Regarding the terrorism legislation, I can only assume, being from the us and not local to you, that the legislation played a part in the crackdown on terrorism over the summer. The primary bullet point being that cooperation can work. Of course, it would be naive to say no clandestine intelligence operations are needed or necessary, but I think seldom would be the need for a massive catch-all on the scale what seems to have been attempted at Gemalto is necessary..nice to talk to someone reasonable, btw.
  • I bet this is only the tip of the iceberg :) Probably they have been hacked at least a score more times. Probably many agencies have been there as well. Just the NSA have not been clever enough (or cared enough) to cover their tracks...
  • Sounds like a bunch of bs to me... First thing state sponsored hackers would do its find a way into the secure network which has their target. They can shut down air gaped uranium enrichment machines but can't get to your "secure" network? Pay off one employee and they are in.
  • True. Or not pay any money at all, just use said employee without their knowledge.
  • Crazier things have succeeded.
    ..
    Add on: Things like this intrigue me, particularly during times of war, which it seems the U.S. is on at some level at most any point in time..i think one does need to have a state of vigilance. The point I'm trying to get at is how things have changed dramatically since the great wars (poor Allan Touring and so many others who did so much for their country simply cause they could) and technology seems to exacerbate the problem of Intel gathering rather than easing it, idk, I'm no expert, but most of us have a level head and the media just tosses so many secrets, or things that should be secret out there to the world that its not too difficult to at least gauge how things go.
  • Aye it is good to have a reasonable discussion ;) Re this whole debacle - well the updated news goes in line with what was discussed above: There is nothing else they can say, considering their business is built on trust. And the legislators and agencies are always going to play catch up with technology. So they now scoop everything up in order to preempt. How well it's working..
    Can't say ;)
  • Did I just read, don't worry we use sftp? Lol
  • And if there was an attack by NSA & GCHQ, successful or otherwise, then let's start seeing some prosecutions of the scumbags and some serious prison sentences handed out.
  • Android monitors all your personal data and uses it to make money. Yet the blind still use Android and Google spyware, it's not like they are protecting the country, just making money.
  • Makes me smile when I see "posted via Windows Central app for Android"
  • Lol that made my day! xD
  • Haha - has '2TomTom' edited their original comment to remove that 'posted via Android' signature?!! The irony :)
  • No, non Android user. I think it was a general comment, unless the original comment had this, idk? Edit: I had an Android tablet a couple of years ago but after the 12 step Android Free course been free since :)
  • No, tom tom didn't do anything. I was just saying...as the saying goes.
  • Do you mean 12 step like a 12 step program for addiction? If so, that's funny right there
  • Lol. Irony indeed.
  • Can.Not.Understand.
  • Well, what do expect from that company, it wont shoot itself...Trust is a fragile thing...and its broken....
  • They're saying what they've been told to say af the end of the day.
  • Seems legit.
  • Clearly I'm not going to get into the specifics of allegations. But the point I would make is, we fully comply with the law - Michael Rogers No more questions, your Honor.
  • The sadest part about this is that its just another news story... The govts took the road of "do everything, all of the time and it will become so commonplace that no one will care" and it worked.
  • Lol "probably happened"
  • That's an example how the governments are still having a cold war, but in cyberspace resulting issues like privacy concerns.
  • Both these agencies have proven they can traverse an air gapped network which is what they're describing.
  • Yeah I remember reading that its pretty hard to clone 2nd gen sim cards
  • Everything is a lie... how can someone believe this company? we don't know if it is true or not. But they even admit there was a breach, so I am sure they just don't want to say the full truth. or you know, US goverment probably already told them what to say, if not US will kill them or their families or something. apparently the ones making wars against other countries and moving troops are US anyway. ;) ^______^
  • If everything is a lie then so is your comment and I therefore don't believe you!
  • "everything is a lie"
    "we don't know if it's the truth or not"
    ------
    You do seem confused!
  • GCHQ? Batman is somehow involved?