SIM card maker Gemalto has confirmed that its network was hacked - probably by the NSA and GCHQ - but said the breach could not have resulted in a massive theft of encryption keys.
A story published by The Intercept - based on documents from NSA-contractor-turned-whistleblower Edward Snowden - claimed that a team made up of NSA and GCHQ staff hacked into Gemalto's network to try steal encryption keys used to protect the privacy of mobile communications. The attack is particularly noteable in that Gemalto was not the final target: the target was the users of mobile phones which used its technology, and raises questions about the behaviour and methods of the intelligence services.
Gemalto has spent the last week investigating the claim using the NSA and GCHQ documents made public by The Intercept and its own internal monitoring tools and records. Gemalto said that - looking at the period covered by the documents from the NSA and GCHQ - in 2010 and 2011 it detected two "particularly sophisticated intrusions" which it said could be related to the spying operation.
In June 2010, it noticed suspicious activity in one of its French sites where a third party was trying to spy on the office network. In July 2010, a second incident was identified by its security team.
"This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers," the company said.
"At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation," Gemalto said, adding that these intrusions only affected the outer parts of its networks.
"The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data," the company said.
The company said that while the intrusions "were serious, sophisticated attacks" no breaches were found in the infrastructure running its SIM business or in other parts of the secure network which manages other products such as banking cards, ID cards, or electronic passports "as each of these networks is isolated from one another and they are not connected to external networks".
The company said that this complex network architecture "explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents."
But even then, the company said, the risk of the data being intercepted as it was shared with our customers was limited by the secure exchange processes it had put in place: "In Gemalto's case, the secure transfer system was standard practice and its non-use would only occur in exceptional circumstances."
The company said that its analysis of the documents shows that the NSA and GCHQ targeted numerous parties beyond Gemalto, as the documents made reference to customers and locations the company did not have.
The Intercept report noted that the intelligence agencies were targeting networks in areas including Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan, and Tajikistan. At that time, most operators in the targeted countries were still using 2G networks.
So what could the NSA and GCHQ do with any encryption keys if they had grabbed them for SIM cards on those networks? Gemalto said that if the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone.
But even if the encryption keys were intercepted by the intelligence services they would have been of limited use because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between three and six months.
Gemalto said that despite its own security measures: "We are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion."
GCHQ said it has a longstanding policy that it does not comment on intelligence matters but added: "All of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Parliamentary Intelligence and Security Committee.
"All our operational processes rigorously support this position. In addition, the United Kingdom's interception regime is entirely compatible with the European Convention on Human Rights."