Gemalto Confirms It Was Hacked But Insists the NSA Didnt Get Its Crypto Keys

Gemalto, the Dutch maker of billions of mobile phone SIM cards, confirmed this morning that it was the target of attacks in 2010 and 2011attacks likely perpetrated by the NSA and British spy agency GCHQ. But even as the the company confirmed the hacks, it downplayed their significance, insisting that the attackers failed to get inside the network where cryptographic keys are stored that protect mobile communications.

Gemalto came to this conclusion after just a weeklong investigation following a news report that the NSA and GCHQ had hacked into the firms network in 2011. The news was reported by The Intercept last week, which said the agencies had gained access to huge cache of the cryptographic keys used with its SIM cards.

The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened, Gemalto wrote in a press release on Wednesday. But, the company said, The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.

Many in the information security community ridiculed Gemalto for asserting this after such a short investigation, particularly since the NSA has been known to deploy malware and techniques capable of completely erasing any signs of an intrusion after the fact to thwart forensic discovery of a breach.

Very impressive, Gemalto had no idea of any attacks in 2010, one week ago. Now they know exactly what happened, French developer and security researcher Matt Suiche wrote on Twitter.

Chris Soghoian, chief technologist for the American Civil Liberties Union had the same reaction.

Gemalto, a company that operates in 85 countries, has figured out how to do a thorough security audit of their systems in 6 days. Remarkable, he tweeted.

The Intercept alleged in its story that the spy agencies had targeted employees of the Dutch firm, reading their siphoned emails and scouring their Facebook posts to obtain information that would let them hack employee machines. Once on Gemaltos network, The Intecept reported, the spy agencies planted backdoors and other tools to give them a persistent foothold. We believe we have their entire network, boasted the author of a government PowerPoint slide that was leaked by Snowden to journalist Glenn Greenwald.

If true, this would be a damning breach. Gemalto is one of the leading makers of SIM cards; its cards are used in part to help secure the communications of billions of customers phones around the world on AT&T, T-Mobile, Verizon, Sprint and more than 400 other wireless carriers in 85 countries. Stealing the crypto keys would allow the spy agencies to wiretap and decipher encrypted phone communications between mobile handsets and cell towers without the assistance of telecom carriers or the oversight of a court or government.

Edward Snowden criticized the agencies for the hack in an Ask Me Anything session for Reddit on Monday. When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim), Snowden wrote, they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.

Read this article:
Gemalto Confirms It Was Hacked But Insists the NSA Didnt Get Its Crypto Keys