Gemalto confirms hack on network, but says it didn't result in massive theft of SIM card keys
Gemalto, the world’s largest producer of SIM cards which reportedly had its encryption keys stolen by the NSA and GCHQ spying agencies, announced today that its network was hacked, but it didn’t result in massive theft of keys used to encrypt conversations, messages and data traffic, a conclusion it reached after a thorough investigation.
The Netherlands-based SIM manufacturer says that it noted sophisticated attacks on its networks between 2010 and 2011 that appear to have been carried out by the aforementioned intelligence agencies. But the company notes that the agencies couldn’t get in far enough to get access to SIM encryption keys.
"Investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened", the company writes in a blog post. "While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network".
"No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks," the company adds. Therefore the hack attacks "could not have resulted in a massive theft of SIM encryption keys", the company concludes.
Gemalto further notes that even if spooks had managed to get deeper access to the encryption keys, it would not have affected people on 3G and 4G networks as these networks are not vulnerable to these type of attacks. People on the 2G network could have been affected, however. But Gemalto claims that most people have already switched to faster networks.
Last week Intercept reported that the United States' NSA and Great Britain's GCHQ had hacked Gemalto's network and stolen the encryption keys to SIM cards. This allowed them to directly eavesdrop into a user’s mobile handset and access data without the need to get permission for wiretapping, the report added.
Gemalto has a vast presence and usage across the world. The company has a partnership with more than 450 mobile operators operating in 80 nations and it produces more than 2 billion SIM cards every year. Your smartphone and tablet are likely carrying a SIM card produced by it.
Would you trust a company which denied any prior knowledge of the attack just a week ago -- and said that it hadn’t observed any suspicious activity over the years -- that then announces today that not only did it note that it was hacked, but its products are secure? What’s your thought on this? Share them with us in the comments below.