Gemalto SIM card encryption hack: Key questions remain
The Gemalto encryption key "heist" may be one of the biggest breaches of corporate data conducted by an intelligence agency to date.
The attack, first reported by The Intercept, showed how the UK and US intelligence communities stole encryption keys to millions of SIM cards, used by dozens of cellular networks in the US and around the world, for contactless payment systems, biometric passports, and credit and debits cards.
The story was based on documents leaked by whistleblower Edward Snowden.
In an effort to quell initial fears, the targeted company said in a statement Monday that its initial conclusions suggest its SIM products are "secure," but did not elaborate further.
Gemalto will hold a press conference on Wednesday (10:30am local, 4:30am ET) where we'll discover more. Gemalto is expected to reveal more from its investigation. (We'll have more then.)
These are the questions the company will have to answer.
1. Obama says US government doesn't listen to phone calls. But could it?
Days after the first Snowden leaks landed, Obama declared, "nobody is listening to your telephone calls." (He was, of course, talking about laws preventing the NSA from listening in on American calls.) It was bad enough that there was fear and uncertainty over the phone metadata program, but the Gemalto hack is about as clear as it gets that the NSA was trying to "passively" listen to phone conversations.
The Intercept's report said the privacy of "all mobile communications," including voice calls, "depends on an encrypted connection between the cellphone and the wireless carrier's network." If those encryption keys were vacuumed up, it's possible that phone calls were intercepted and listened to.
This hack may open up other NSA programs to more detail, like how the NSA can listen back to every call made in a 30-day period in certain countries. It may also explain how the NSA tapped the German leader's phone, despite evidence pointing to the contrary.
2. Was Apple Pay or any other contactless payment system compromised?
Gemalto-based technology is the cornerstone of Google Wallet, a rival mobile payments service to Apple Pay. The Android-based technology is provided by Softcard, which was created by a coalition of US cellular firms including AT&T, Verizon, and T-Mobile.
The report said it was "unclear" if these two contactless payment services were compromised by the two intelligence agencies. Gemalto may know more when it talks on Wednesday.
It could mean potentially millions of mobile users' data might be at risk. That would be a massive blow of trust to the mobile wallet industry, which have both been dragged through the mud unnecessarily after they were named in the PRISM program slide, accused of letting the NSA have "direct access" to their servers.
Or, it could not. Companies like Visa and Mastercard, providers of contactless chip-enabled credit and debit cards, would have an extra layer of protection in place preventing financial fraud, according to one report.
3. How did Gemalto not notice the massive encryption key theft?
One of the biggest concerns is how the theft of millions of encryption keys happened. The heist was impressive but raised questions over ethics and legality. A group within the intelligence community targeted specific Gemalto staff through their social media and email accounts, found weaknesses in their systems, and compromised their work computers.
Gemalto said it had "no evidence" of any hacks, suggesting its systems were broken into with the help of existing NSA and GCHQ programs, like XKeyscore, rather than through a security weakness in the network.
That leads to the question of whether or not other nation states had the capability to access US phone conversations.
"If the NSA/GCHQ can do it, I'd be more than surprised if the Chinese or the Russians haven't already done it," said Cryptocat developer and security researcher Nadim Kobeissi in an email. "All GCHQ did was little more than routine targeted attacks. There were no cutting-edge techniques that China wouldn't have," he added.
4. Could the NSA, GCHQ's attack have been prevented?
The answer is likely not, but Gemalto will have more at the Wednesday press conference. This is more of a question about the security of Gemalto's products, rather than its systems.
"SIM card security is already quite weak and very dated, and that's not Gemalto's fault," said Kobeissi. "Short of deciding to forego SIM cards altogether, there wasn't much Gemalto could do to improve the security of that space," he said.
5. What now? What can ordinary users do to secure their communications?
The big question on everyone's minds: how will Gemalto, and by virtue its customers -- the one-billion-plus users around the world -- recover from this?
Gemalto says its SIM products are "secure," but offered no further detail yet this may be the biggest intelligence hack of the Snowden cache so far (by the number of people affected).
One thing is for sure, if Gemalto has to recall SIM cards, its financial future may be in jeopardy.
Updated at 4:25pm ET: with clarifying remarks regarding mobile payments.