The mobile SIM card vendor that was reportedly hacked by the National Security Agency and the UK's GCHQ in order to spy on mobile communications unfettered, today acknowledged that the spy agency hacks likely occurred, but only affected its office networks and didn't lead to the widespread theft of its coveted SIM encryption keys.
Gemalto, based in Amsterdam, announced findings from its own investigation into the latest round of NSA/GCHQ documents leaked by Edward Snowden. The Intercept last week reported that documents it obtained from Snowden showed an NSA-GCHQ project to hack Gemalto and steal its SIM encryption keys used to scramble mobile voice and text communications for privacy. The $2.7 billion Gemalto supplies SIM chips to AT&T, Verizon, Sprint, T-Mobile, and some 400 wireless providers worldwide; its chips also are used in bank cards, passports, and identity cards.
The stolen keys would give the spy agencies the ability to surreptitiously intercept and monitor wireless conversations and communications without a wiretap warrant, and to decrypt any communications protected by the SIM cards. SIM encryption keys allow mobile carriers to authenticate a mobile device on their network, and Gemalto and other SIM vendors give carriers a copy of those keys.
Gemalto, which was careful to say it is not confirming the report by The Intercept, said it studied logs and documentation surrounding two "sophisticated" attacks it discovered against its network in 2010 and 2011, the timeframes in question as reported by The Intercept. The attacks "gave us reasonable grounds to believe that an operation by NSA and GCHQ probably happened," the company said today.
"At the time we were unable to identify the perpetrators, but we now think that they could be related to the NSA and GCHQ operation," Gemalto said. "These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys, and other customer data in general, are not stored on these networks."
Gemalto said it's network architecture is layered and segmented such that data is isolated and "clustered."
But renowed security expert Bruce Schneier dismissed Gemalto's assessment, saying there's no way Gemalto realistically can be confident of its findings. Schneier says it appears to be more of a PR move to "salvage a very bad situation."
"It makes no sense that in a couple of days they are anything resembling confident that the NSA didn't break their security. An NSA attack would be undetectable," Schneier says. Plus, it takes weeks to fully investigate attacks, not days, says Schneier, who is CTO of Co3 Systems.
Schneier says Gemalto's effort to assuage concerns "is a shame, because it's not their fault. Their security is not up to the NSA and there's no reason it should be," he says.
The leaked documents reportedly reveal how the NSA assisted the GCHQ to tap into the communications of Gemalto employees, for example, and the initiative included the UK spy agency placing malware on Gemalto's networks for remote access to the SIM card vendors' systems.
The Attacks on Gemalto
In June of 2010, Gemalto detected "suspicious activity" at one of its French sites: someone was trying to spy on the corporate network there. "Action was immediately taken to counter the threat," Gemalto said.
In July of that year, Gemalto's security team spotted emails sent to one of its mobile operator customers that spoofed real Gemalto email addresses. "The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used," the company said.
Attackers also tried to gain access to the PCs of Gemalto employees who work closely with its customers. "While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks."
Gemalto says by 2010, it had configured a "secure transfer system" between the company and its customers, so any theft of information would be "only rare exceptions." And if such a theft had transpired, the company said, it would only affect 2G mobile networks, anyway, since 3G and 4G are not vulnerable to such an attack. "None of our other products were impacted by this attack," Gemalto said.
"It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks, explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators, as explained in the documents," Gemalto said in its report.
Gemalto pointed out that it wasn't the sole target of the NSA and GCHQ noted in the leaked documents, and that among the mobile operators listed in the documents, it supplies SIM cards to eight of the 12 providers. The company also disputed other elements of the documents, including claims that it had SIM card personalization centers in Japan, Colombia, and Italy during that time period.
"We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion," the company said in its report.
Encrypting data in storage as well as in transit is the best defense, Gemalto says, as well as employing the latest SIM card technology and custom algorithms for its mobile operator.