Gemalto Admits Hacking of SIM Card Encryption Keys by GCHQ and NSA
Gemalto, the world's largest maker of mobile SIM cards, said a preliminary company probe of sophisticated attacks against it in 2010 and 2011 showed British and U.S. intelligence services "probably" hacked into its office networks. The company said that in June 2010 noticed suspicious activity in one of its French sites where a third party was trying to spy on the office network. Action was taken to counter the threat.
In July 2010, a second incident was identified by Gemalto's Security Team. This involved fake emails sent to one of the company's mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code.
During the same period, Genalto also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers.
Gemalto said that at the time the company was unable to identify the perpetrators but we now thinks that they could be related to the NSA and GCHQ operation. But added that those intrusions only affected the outer parts of its networks, which were in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks.
The company sad that no breaches were found in the infrastructure running its SIM activity or in other parts of the secure network which manage other products such as banking cards, ID cards or electronic passports.
The Dutch company was responding to a report by investigative news site The Intercept, which last week published documents it said showed that U.S. and British spies hacked into Gemalto, potentially allowing them to monitor the calls, texts and emails of billions of mobile users around the world.
Gemalto said the spy operation aimed to intercept the encryption codes needed to unlock security for Subscriber Identity Modules (SIMs) while the modules were shipped from its production facilities to mobile network operators worldwide.
However, the company argued that the break-ins were limited to exceptions, that they were likely to only have affected older model phones that are widely used in emerging markets and that other Gemalto products for secure financial payments were unaffected.
Gemalto added that intelligence services would only be able to spy on communications on second-generation 2G mobile networks as 3G and 4G networks were not vulnerable to this type of attack.