Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

2/25/2015
11:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Gemalto: NSA, GCHQ May Have Been Behind Breaches It Suffered In 2010 And 2011

But the 'sophisticated' attacks hit only Gemalto office networks--not 'massive theft' of SIM crypto keys, vendor says, and such an attack, if waged, would only affect 2G networks, not 3G or 4G.

The mobile SIM card vendor that was reportedly hacked by the National Security Agency and the UK's GCHQ in order to spy on mobile communications unfettered, today acknowledged that the spy agency hacks likely occurred, but only affected its office networks and didn't lead to the widespread theft of its coveted SIM encryption keys.

Gemalto, based in Amsterdam, announced findings from its own investigation into the latest round of NSA/GCHQ documents leaked by Edward Snowden. The Intercept last week reported that documents it obtained from Snowden showed an NSA-GCHQ project to hack Gemalto and steal its SIM encryption keys used to scramble mobile voice and text communications for privacy. The $2.7 billion Gemalto supplies SIM chips to AT&T, Verizon, Sprint, T-Mobile, and some 400 wireless providers worldwide; its chips also are used in bank cards, passports, and identity cards.

The stolen keys would give the spy agencies the ability to surreptitiously intercept and monitor wireless conversations and communications without a wiretap warrant, and to decrypt any communications protected by the SIM cards. SIM encryption keys allow mobile carriers to authenticate a mobile device on their network, and Gemalto and other SIM vendors give carriers a copy of those keys.

Gemalto, which was careful to say it is not confirming the report by The Intercept, said it studied logs and documentation surrounding two "sophisticated" attacks it discovered against its network in 2010 and 2011, the timeframes in question as reported by The Intercept. The attacks "gave us reasonable grounds to believe that an operation by NSA and GCHQ probably  happened," the company said today.

"At the time we were unable to identify the perpetrators, but we now think that they could be related to the NSA and GCHQ operation," Gemalto said. "These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys, and other customer data in general, are not stored on these networks."

Gemalto said it's network architecture is layered and segmented such that data is isolated and "clustered."

But renowed security expert Bruce Schneier dismissed Gemalto's assessment, saying there's no way Gemalto realistically can be confident of its findings. Schneier says it appears to be more of a PR move to "salvage a very bad situation."

"It makes no sense that in a couple of days they are anything resembling confident that the NSA didn't break their security. An NSA attack would be undetectable," Schneier says. Plus, it takes weeks to fully investigate attacks, not days, says Schneier, who is CTO of Co3 Systems. 

Schneier says Gemalto's effort to assuage concerns "is a shame, because it's not their fault. Their security is not up to the NSA and there's no reason it should be," he says.

The leaked documents reportedly reveal how the NSA assisted the GCHQ to tap into the communications of Gemalto employees, for example, and the initiative included the UK spy agency placing malware on Gemalto's networks for remote access to the SIM card vendors' systems.

The Attacks on Gemalto

In June of 2010, Gemalto detected "suspicious activity" at one of its French sites: someone was trying to spy on the corporate network there. "Action was immediately taken to counter the threat," Gemalto said.

In July of that year, Gemalto's security team spotted emails sent to one of its mobile operator customers that spoofed real Gemalto email addresses. "The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used," the company said.

Attackers also tried to gain access to the PCs of Gemalto employees who work closely with its customers. "While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks."

Gemalto says by 2010, it had configured a "secure transfer system" between the company and its customers, so any theft of information would be "only rare exceptions." And if such a theft had transpired, the company said, it would only affect 2G mobile networks, anyway, since 3G and 4G are not vulnerable to such an attack.  "None of our other products were impacted by this attack," Gemalto said.

"It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks, explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators, as explained in the documents," Gemalto said in its report.

Gemalto pointed out that it wasn't the sole target of the NSA and GCHQ noted in the leaked documents, and that among the mobile operators listed in the documents, it supplies SIM cards to eight of the 12 providers. The company also disputed other elements of the documents, including claims that it had SIM card personalization centers in Japan, Colombia, and Italy during that time period.

"We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion," the company said in its report.

Encrypting data in storage as well as in transit is the best defense, Gemalto says, as well as employing the latest SIM card technology and custom algorithms for its mobile operator.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
2/26/2015 | 11:24:45 AM
Re: it would only affect 2G mobile networks?
@Kelly, if there is a strong believe that the keys are compromised they could start replacing the SIM cards, but that could be really expensive.

Some users could ask for a replacement if they have SIM cards issued during 2010-2012, it costs around $4 each. 

I would also recommend forcing the phones to stay in 3G/4G mode, which usually works well in most areas. I remember that AT&T was talking about phasing out their 2G networks by 2016
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/25/2015 | 5:44:48 PM
Re: it would only affect 2G mobile networks?
@Pablo--Thank you for sharing this. The forced 2G tactic is very interesting, indeed. I agree with Bruce Schneier that there is a lot more here than their postmortem, and they were in a tough situation here. The question is how do these companies and carriers react security-wise now. 
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
2/25/2015 | 4:58:40 PM
it would only affect 2G mobile networks?
@Kelly, I know people working for Gemalto. I believe it is a great company and they take security seriously. But their claims that users are secured using 3G or 4G networks is not entirely true.

One method mentioned on The Intercept article is to force users to drop down to 2G networks by overloading the 3G service. Most mobile devices are configured to switch to 2G when the 3G/4G service is not reliable. And the switch happens without the user knowlegde.

I do believe Gemalto is now taking precautions to deliver the keys securely, but that was not probably the case a few years ago. The carriers receiving the SIM cards and keys are also to blame.

The fact that they decided not to file charges is abit strange. At least they could ask the French and Dutch governments, or the EU commission, to launch a probe.

I'm sure this topic will be present next week at the MWC here in Barcelona... We'll see
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-5770
PUBLISHED: 2020-08-03
Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5771
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious backup archive.
CVE-2020-5772
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious package file.