Gemalto says NSA, GCHQ probably hacked internal network but SIM encryption keys safe

Following last week’s revelations claiming security company Gemalto’s mobile SIM card encryption keys were hacked by US and UK security services, the firm has said its own investigation into the matter shows a breach probably did happen. However, apparently only its office network was intruded and the attack could not have led to a massive encryption key theft as originally suggested by the report last week.

Gemalto claimed at the time of the assumed attack in 2010 by the UK Government Communications Headquarters (GCHQ) and US National Security Agency (NSA), it already had such systems in place that would have prevented a large-scale SIM encryption key theft, apparently the aim of the operation. Further, according to the firm, such a theft would only enable the spying of 2G networks, not 3G or 4G, which it claimed is due to a general vulnerability in the second generation technology that doesn’t exist in the following generations.

The vendor said as a security company it regularly comes under attacks, most unsuccessful, and in 2010 and 2011 it had detected two particularly sophisticated attacks. “If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks,” Gemalto said in a statement.

“In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation. In June 2010, we noticed suspicious activity in one of our French sites where a third party was trying to spy on the office network. By office network we mean the one used by employees to communicate with each other and the outside world. Action was immediately taken to counter the threat.”

Gemalto also admitted having detected other attempted attacks during the same period but claimed albeit serious, none had resulted in breaches in other parts of its network. “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.”

The company said it has recommended operators to take extra measures to protect customers form the known weakness in 2G technology and claimed some have not taken the advice based on costs. But it said security in 3G and 4G technologies is of much higher standard, and claimed its operator customers embed custom algorithms in the SIM cards, which it claimed makes it harder for anyone to conduct mass surveillance on a global scale.

Even so, the vendor admitted state security services are potentially on a different level when it comes to sophisticated attacks. “Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion.”

Although Gemalto’s reassurances seem at least somewhat comforting, its focus on the fact that only 2G networks could have been spied on still poses an awkward dilemma. The company itself reiterates 2G is mostly only used in pre-paid SIMs in regions such as the Middle East and the developing world- areas which probably would interest the British and US intelligence agencies. Of course, Gemalto maintains no massive theft of its encryption keys occurred whatsoever, but this development has probably made operators and consumers alike feel slightly uneasy.


  1. Avatar Neal McQuaid 27/02/2015 @ 5:34 pm

    The Intercept was the original site to report the issue, and have issued a response with significant security expert skepticism:
    The Intercept itself has already denied Gemalto’s statement. In a piece entitled “Gemalto doesn’t know what it doesn’t know,” the outlet talks to security experts about Gemalto’s new claims to outline the large amount of industry skepticism. “Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week,” Christopher Soghoian, the chief technologist at the American Civil Liberties Union, told the site. “That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks.”
    Johns Hopkins cryptography expert Matthew Green went so far as to call Gemalto’s effort “not an investigation at all.” And he strongly dismissed Gemalto’s claims about 3G and 4G networks when talking with The Intercept. “I think you could make that statement against some gang of Internet hackers, but you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation,” he told the site. “They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.