Gemalto says NSA, GCHQ probably hacked internal network but SIM encryption keys safe

Following last week’s revelations claiming security company Gemalto’s mobile SIM card encryption keys were hacked by US and UK security services, the firm has said its own investigation into the matter shows a breach probably did happen. However, apparently only its office network was intruded and the attack could not have led to a massive encryption key theft as originally suggested by the report last week.

Gemalto claimed at the time of the assumed attack in 2010 by the UK Government Communications Headquarters (GCHQ) and US National Security Agency (NSA), it already had such systems in place that would have prevented a large-scale SIM encryption key theft, apparently the aim of the operation. Further, according to the firm, such a theft would only enable the spying of 2G networks, not 3G or 4G, which it claimed is due to a general vulnerability in the second generation technology that doesn’t exist in the following generations.

The vendor said as a security company it regularly comes under attacks, most unsuccessful, and in 2010 and 2011 it had detected two particularly sophisticated attacks. “If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks,” Gemalto said in a statement.

“In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation. In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.”

Gemalto also admitted having detected other attempted attacks during the same period but claimed albeit serious, none had resulted in breaches in other parts of its network. “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

The company said it has recommended operators to take extra measures to protect customers form the known weakness in 2G technology and claimed some have not taken the advice based on costs. But it said security in 3G and 4G technologies is of much higher standard, and claimed its operator customers embed custom algorithms in the SIM cards, which it claimed makes it harder for anyone to conduct mass surveillance on a global scale.

Even so, the vendor admitted state security services are potentially on a different level when it comes to sophisticated attacks. “Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”

Although Gemalto’s reassurances seem at least somewhat comforting, its focus on the fact that only 2G networks could have been spied on still poses an awkward dilemma. The company itself reiterates 2G is mostly only used in pre-paid SIMs in regions such as the Middle East and the developing world- areas which probably would interest the British and US intelligence agencies. Of course, Gemalto maintains no massive theft of its encryption keys occurred whatsoever, but this development has probably made operators and consumers alike feel slightly uneasy.