The giant Dutch SIM card company reportedly hacked by U.S. and/or U.K. spy agencies says the intrusion "probably happened," but added the attack "could not have resulted in a massive theft of SIM encryption keys" as reported last week by The Intercept. That article cited documents provided by former National Security Agency contractor Edward Snowden to allege the breach "gave surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications."
Amsterdam-based Gemalto released a statement Wednesday that it had conducted a thorough investigation of the alleged hack and identified "two particularly sophisticated intrusions which could be related to the operation." The two incidents, which occurred in June and July of 2010, involved suspicious activity centered on the company's network and fake e-mails with an attachment that could download malware.
In both cases, Gemalto says it took immediate action to deal with the threats. However, it added, both intrusions affected only the company's office networks. "The SIM encryption keys and other customer data in general are not stored on these networks," a statement from the company said.
Largest Maker of SIM Cards
Founded in 2006, Gemalto is a publicly traded company and the world's largest maker of SIM (subscriber identity module) cards for mobile devices. With a slogan of "Security to be free," Gemalto also provides other digital security products and services, and reported 2013 revenues of 2.4 billion euros ($2.7 billion).
Every SIM card uses a unique "Ki" authentication key to verify users' identities to their mobile phone carriers. SIM cards also use OTA keys for "over-the-air" installation of software updates.
"It is extremely difficult to remotely attack a large number of SIM cards on an individual basis," Gemalto's latest statement noted. "This fact, combined with the complex architecture of our networks, explains why the intelligence services instead chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents."
'Believe We Have their Entire Network'
The Feb. 19 article in The Intercept, written by Jeremy Scahill and Josh Begley, cites a secret 2010 document from Britain's Government Communications Headquarters describing efforts to gain access to core mobile networks by obtaining K, Ki and OTA keys, among other methods. The document identifies Gemalto by name with the added note, "successfully implanted several machines and believe we have their entire network."
We reached out to Gemalto for more information but were told the company's "only statement is found in the press release issued this morning."
That statement said: "The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft. "
Even if security keys were stolen, the company added, surveillance agencies would have only been able to spy on 2G networks and not the more advanced 3G and 4G networks.
Gemalto added that it is "conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion."
It added: "Gemalto will continue to monitor its networks and improve its processes. We do not plan to communicate further on this matter unless a significant development occurs."