Gemalto has said that an initial investigation into alleged hacking of its SIM keys by intelligence agencies appears to be true.
In a statement following the revelations by The Intercept that GCHQ and NSA hacked into SIM keys to bypass encryption to monitor use, Gemalto has said that the investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 “give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened”.
It confirmed that the attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys, and no other products were impacted by this attack. Also, by 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft.
The company also said that in the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack.
“As a digital security company, people try to hack Gemalto on a regular basis,” it said. “These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful, while only a few penetrate the outer level of our highly secure network architecture.
“If we look back at the period covered by the documents from the NSA and GCHQ, we can confirm that we experienced many attacks. In particular, in 2010 and 2011, we detected two particularly sophisticated intrusions which could be related to the operation.”
It said that in June 2010, it noticed suspicious activity in one of its French sites where a third party was trying to spy on the office network used by employees to communicate with each other and the outside world. In the next month, a second incident was identified by its security team which involved fake emails sent to one of its mobile operator customers spoofing legitimate Gemalto email addresses to include a malicious attachment. “During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers,” it said.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks.”
It described the intrusions as serious and sophisticated attacks, but nothing was detected in other parts of the network and no breaches were found in the infrastructure running its SIM activity or in other parts of the secure network which manage other products such as banking cards, ID cards or electronic passports.
“It is extremely difficult to remotely attack a large number of SIM cards on an individual basis,” it said. “This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”
Nevertheless, Gemalto said that it was conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations. “We are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion,” it said.
It concluded by thanking the external support received in the past few days, and said it has never been more important to follow security best practices and adopt the most recent technologies and it will continue to monitor its networks and improve its processes.