Gemalto: Government Hack Happened, but SIM Cards Secure
- Wednesday, February 25th, 2015
- Share this article:
Following accusations last week that US and UK intelligence agencies attempted to steal its SIM card encryption keys, chip manufacturer Gemalto has released the results of its own investigation, concluding that while the hack probably happened, its SIM cards are secure.
The hack was first alleged by Intercept, based on information contained in documents provided by NSA whistleblower Edward Snowden. The operation was supposedly carried out by the NSA and Britains GCHQ in an attempt to access the encryption keys used to secure transmissions between phones and networks.
Among Gemaltos clients who would have been affected by the hack, had it been successful, are AT&T, Verizon, Sprint and T-Mobile US, as well as 450 other mobile network providers around the world.
According to Gemaltos review of the attacks in 2010 and 2011, it has concluded that only its office networks were breached, which could not have resulted in the massive theft of SIM encryption codes originally feared
The review does note that attacks detected during the period when the government operation supposedly took place were particularly sophisticated intrusions”, and while it wasnt able to identify the perpetrators, it does “now think that they could be related to the NSA and GCHQ operation”.
The operation aimed to intercept the encryption keys as they were exchanged between mobile network operators and their suppliers around the globe. However, by 2010 Gemalto had already deployed a secure transfer system and only a few rare exceptions would have been vulnerable to theft.
Gemalto also emphasised that only 2G mobile networks would have been vulnerable following an encryption key theft, as 3G and 4G technology introduced proprietary algorithms as an extra level of security. However, operators in many of the countries targeted by the operation were still making use of 2G networks in 2010, especially in emerging markets.
Gemaltos statement on the operations noted that “we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.
“In todays world, any organisation could be subject to a cyber-attack. Therefore, it has never been more important to follow security best practices and adopt the most recent technologies. These include advanced data encryption, so that even if networks are breached, third parties cannot access any of the stolen information.”