Gemalto opens investigation into SIM card hack by NSA, GCHQ

Dutch SIM card maker Gemalto says it is investigating reports it was hacked by US and British spies but at this stage has no idea whether it happened.

Following a report yesterday that US and UK spies hacked Dutch security firm Gemalto to track mobile phone users across the globe, the company says it has opened an investigation into the claims.

Allegations of the hack came from the latest documents leaked by former National Security Agency (NSA) contractor Edward Snowden and published by The Intercept yesterday.

According to the documents, the UK's surveillance agency GCHQ and the US' NSA teamed up in 2010 and 2011 to penetrate Gemalto's internal network and steal encryption keys that would allow the organisations to monitor mobile communications without the assistance of telecoms companies.

Read this

The Snowden effect: How it's still denting business confidence in cloud security

Signs were that security was beginning to recede as an obstacle to cloud adoption. That was until Edward Snowden's revelations about NSA's PRISM data-mining activities.

Read More

Gemalto produces embedded software on chips used in online banking and electronic identity authentication. It also makes up to two billion SIM cards each year, which are supplied to 450 wireless network providers across the globe and were the alleged chief target of the spy agencies' efforts.

The Dutch company issued a statement today saying it wasn't aware of the attack but that it couldn't confirm whether the allegations were true. The company also said it will also launch an investigation.

"The publication indicates the target was not Gemalto per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation," the company said.

"We take this publication very seriously and will devote all resources necessary to fully investigate and understand the scope of such sophisticated techniques," it added.

Cryptography expert Matthew Green at the Johns Hopkins Information Security Institute told The Intercept that while there were other ways to sidestep mobile security on 2G protocols, the encryption keys would have been "essential" to compromising 3G, 4G, and LTE protocols.

As the publication points out, the encrypted connection between a device and a mobile operator's network relies on keys stored in the SIM card inserted into the phone. Those keys are created by companies like Gemalto.

However, as Green notes, network operators are unlikely to be treating SIM cards as security tokens but rather as a tool to prevent people freeloading on their network. Consequently, that part of the supply chain is low-hanging, but extremely valuable, fruit for an attacker with the skill set and resources of a government agency.

The NSA's and GCHQ's alleged attack on Gemalto is just the latest European campaign the pair have reportedly teamed up on. Snowden documents also revealed an attack on Belgian telecoms operator Belgacom that was spearheaded by a sophisticated piece of malware called Regin.

GCHQ agents targeted Belgacom engineers through a spoofed LinkedIn page, using credentials it gathered to gain entry to the operator's internal systems.

Gemalto said that it has "detected, logged and mitigated many types of attempts over the years", however, at present it could not prove a link between those past attempts and the events reported yesterday.

Read more on this story