Dutch SIM card maker Gemalto on Wednesday revealed that U.K. and U.S. spy agencies probably did breach its internal network but were unable to steal SIM card encryption keys.
Documents recently handed to The Intercept by NSA whistleblower Edward Snowden allege that the U.K.’s Government Communications Headquarters (GCHQ) and its U.S. counterpart, the National Security Agency (NSA), hacked into Gemalto’s internal network in 2010 and 2011.
Once inside, they are alleged to have installed malware on several computers giving them access to systems that allowed them to steal SIM card encryption keys. Those keys would enable them to monitor mobile communications without obtaining a warrant or approval from foreign governments, and without the knowledge of telcos.
"As a digital security company, people try to hack Gemalto on a regular basis. These intrusion attempts are more or less sophisticated and we are used to dealing with them. Most are not successful while only a few penetrate the outer level of our highly secure network," said Gemalto on Wednesday.
The company said it detected two particularly sophisticated attacks in 2010 and 2011.
"At the time we were unable to identify the perpetrators but we now think they could be related to the NSA and GCHQ operation, " Gemalto said.
However, the attacks only breached its office networks, whereas SIM encryption keys and customer data are stored separately.
"Our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data," explained Gemalto.
According to the leaked documents, the NSA and GCHQ changed tactics as a result, and instead tried to intercept encryption keys at the point at which they were transferred from suppliers to mobile operators. In particular, the spies targeted operators in Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Tajikistan and Yemen.
Gemalto said that it put safeguards in place to defend against this type of interception before the attacks were launched; however, they were not universally adopted and suppliers other than Gemalto may have been at risk.
"In Gemalto’s case, the secure transfer system was standard practice and its non-use would only occur in exceptional circumstances," Gemalto said.
Gemalto also noted that most telcos in the targeted countries would have still been operating 2G networks at the time, which are more vulnerable to spying. However, "most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between three and six months."
In addition, known weaknesses in 2G encryption were addressed by operators, while 3G and 4G technologies came with additional layers of security.
"Gemalto would like to reiterate its commitment to providing the best security levels for civilian applications," Gemalto said. "Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organisations. And, we are concerned that they could be involved in such indiscriminate operations again st private companies with no grounds for suspicion."
Gemalto said it will continue to monitor its network and improve its processes.
