Gemalto denies 'massive theft' of SIM card encryption keys by NSA and GCHQ [updated]

Update: A new report in The Intercept claims that Gemalto is drastically downplaying the effects of this attack. In the report, several security researchers came to the conclusion that "the company made sweeping, overly-optimistic statements about the security and stability of Gemalto's networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees."

Original story: Digital security vendor Gemalto revealed its findings today following last week's report of an incursion by the NSA and the GCHQ into the vendor's SIM card encryption keys. While Gemalto noted that an operation by NSA and GCHQ "probably happened" in 2010 and 2011, the intrusion could not have resulted in a "massive theft" of SIM card encryption keys as the breach affected the company's office network and not its secure networks.

Gemalto mentioned that the SIM card encryption keys were not stored in the networks that were breached:

These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

Access to the keys would have allowed the US and UK government agencies the ability to listen in on phone conversations and install malware on any Gemalto-issued SIM card. With an annual production of 2 billion SIM cards and association with most major carriers in the world including US carriers such as AT&T, Sprint, and Verizon, any security breach at the vendor would have global consequences. Here's what Gemalto found in its investigation into the hack:

  • ​​​​The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened
  • The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys
  • The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft
  • In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack
  • None of our other products were impacted by this attack
  • The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator

According to Gemalto, even if the SIM card encryption keys were stolen, it would have resulted in the US and UK intelligence networks spying on 2G networks, making most users in developed countries prone to intrusion by covert agencies. However, The Intercept – the publication that first broke the news of the hack – noted that the target countries for the NSA and GCHQ's spying activities included Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Serbia,Tajikistan and Yemen, where 2G networks are still the norm. Gemalto stated that its secure data transfer system was in use at that time, which would have deterred hackers from gaining access to the encryption keys.

Head to the link below to read all of Gemalto's findings.

Source: Gemalto

Harish Jonnalagadda
Senior Editor - Asia

Harish Jonnalagadda is Android Central's Senior Editor of Asia. In his current role, he oversees the site's coverage of Chinese phone brands, networking products, and AV gear. He has been testing phones for over a decade, and has extensive experience in mobile hardware and the global semiconductor industry. Contact him on Twitter at @chunkynerd.