Industry News

Gemalto Confirms Hack, Downplays Damage

SIM-maker Gemalto says yes, it was hacked by GCHQ and NSA. But not that badly…

Last week, leaks from NSA whistleblower Edward Snowden revealed what appeared to be a major hacking operation against the world’s largest SIM card manufactuer, orchestrated by the NSA and UK’s GCHQ intelligence agencies in 2010 and 2011.

According to a report in The Intercept, Gemalto, whose customers include 450 mobile telecom operators around the globe, was hacked in a sophisticated attack, in order to steal encryption keys “to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.”

gemalto-gchq-slide

Such a hack, if true, sounds deeply troubling. Gemalto manufactures two billion SIM cards a year, and the theft of encryption keys would potentially allow intelligence agencies to decrypt cell phone signals and intercept communications.

But today, Gemalto – which also produces ID chips for passports and other technologies – provided details to the press about its investigation into the alleged hacking, concluding that it believed its SIM cards were secure.

Yes, Gemalto says, it has “reasonable grounds to believe that an operation by NSA and GCHQ probably happened”. But it hasn’t found any evidence which makes it think that there was a massive theft of encryption keys.

Gemalto claims that its IT team noticed suspicious activity at one of its French sites in June 2010, caused by a “third party” trying to spy on the office network. Gemalto says that action was immediately taken to counter the threat.

The following month, July 2010, another security issue was identified by Gemalto’s security team, after forged emails were sent to one of its mobile operator customers, pretending to come from Gemalto. The emails contained a malicious attachment designed to infect the operator.

In parallel, Gemalto’s security team says it identified several attempts by hackers to access the PCs of staff who had regular contact with customers.

Gemalto says that although the attacks were serious, they would not have resulted in hackers gaining access to SIM encryption keys or customer data:

At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.

Furthermore, says Gemalto, any NSA/GCHQ plan to intercept encryption keys as they were exchanged between mobile operators and suppliers would have failed as, by 2010, it had “widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.”

Even if keys had been stolen, says Gemalto, the intelligence services would have a tough time spying on 3G and 4G communication networks as the attack appeared to only be a concern to older 2G mobile networks.

sim-cards-600

Gemalto went on to describe what it believed were discrepancies in the report published by The Intercept, suggesting that the reporting may contain inaccuracies and possibly indicating that another SIM manufacturer was being targeted by intelligence agencies:

* Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen.

* A list claiming to represent the locations of our personalization centers shows SIM card personalization centers in Japan, Colombia and Italy. However, we did not operate personalization centers in these countries at the time.

* Table 2 indicates that only 2% of the exchanges of encryption keys (38/1719) came from SIM suppliers and states that the use of strong encryption methods by SIM suppliers means that the other groups (98%) are much more vulnerable to these types of attacks.

Of course, Gemalto may be the largest supplier of SIM cards – but it’s far from the only one. Even if Gemalto is correct in its claims, it’s always possible that other SIM manufacturers were targeted by the NSA and GCHQ, and spilt some of their secrets.

The company says it plans to improve its security, and continue to monitor its networks for hackers. However, unless there are any further developments, it has no plans to make further comments on the matter.

You do have to wonder, of course, how the US and UK governments would be reacting right now if, say, China or North Korea, was being blamed for hacking a Western SIM manufacturer rather than the finger of blame pointing to GCHQ and the NSA.

To read what Gemalto has to say about the report from The Intercept in fuller detail, <a href="http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx" rel="nofollow" title="Link to Gemalto statement"visit their website.

Let’s hope that Gemalto is right, and that has managed to uncover everything bad that was happening on its network during 2010 and 2011. After all, a sophisticated state-sponsored attack might be difficult to detect at the time, and even harder to determine that it never happened when you go looking years later.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Interesting read Graham, as always.

    The link to the Gemalto report at the end of your article is broken. I suspect a missing “>” on the HTML tag.

  • The link has a markup error and so it isn’t a link, just as a note (quickly looking at the source it seems that there is no proper anchor opening but instead the left angle bracket seems to be escaped as if to display it directly).

    Otherwise, yes, it is indeed interesting, what you suggest. It is hypocrisy and ludicrous yet it is all that is expected. It is okay as long as they do it to others and only if it ‘serves the safety of others’ (which isn’t all that accurate i.e it is a lie, a dangerous lie at that because it is the opposite, often). To then cry foul play and play ‘innocent’ when they are attacked is rather ignoring that they add much fuel to the fire themselves.