HAGUE
A Dutch SIM card company, Gemalto, confirmed Wednesday that its SIM card encryption keys were compromised by U.S. and U.K. intelligence agencies.
"Investigations into the alleged hacking of SIM card encryption keys, and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by Britain's Government Communications Headquarters (GCHQ) and the U.S. National Security Agency (NSA) probably happened," the Amsterdam-based company said in a press release.
The findings follow a thorough investigation conducted by the company in the aftermath of a report last Thursday by an online news website, The Intercept, which was given access to top-secret documents by NSA whistleblower Edward Snowden.
The website had claimed that the NSA and GCHQ hacked into Gemalto's network in an attempt to steal encryption keys used to secure and protect the privacy of the company's SIM cards.
Gemalto said these claims were fully investigated, based on both "the purported NSA and GCHQ documents which were made public by this website, and our internal monitoring tools and their past records of attempts of attacks."
The "serious and sophisticated" attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys, the company said.
Noting that the operation by U.S. and U.K. intelligence services aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally, Gemalto said, by 2010, it had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.
"In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks," the company said, adding that 3G and 4G networks were not vulnerable to this type of attack.
The Intercept, however, noted that the intelligence agencies have a work around to deal with 3G and 4G network keys. It said that if required government agencies could jam a 3G or 4G network, forcing phones onto 2G. “Once forced down to the less secure 2G technology, the phone can be tricked into connecting to a fake cell tower operated by an intelligence agency,” The Intercept said in its report Thursday.
Gemalto also stressed that nothing was detected in other parts of its network, and none of its other products were impacted by this attack.
According to The Intercept report, Gemalto produces around two billion SIM cards a year.
“With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted,” the report added.
