Dutch digital security firm Gemalto, which is the world’s biggest manufacturer of SIM cards, has reported back on internal investigations triggered by last week’s revelations about the NSA and GCHQ hacking into its systems and stealing encryption keys that are supposed to protect phone users’ communications.
On Wednesday Gemalto said it reckoned a series of intrusions into its systems in 2010 and 2011 could have matched up with the attacks described in documents leaked by Edward Snowden and published by The Intercept. However, it downplayed the impact of the attacks on its systems and SIM encryption key transfer mechanisms, hinting that the methods described in the documents were more likely to have affected its rivals.
For a start, Gemalto said these attacks, which involved the “cyberstalking” of some of its employees in order to penetrate its systems, only affected its office networks:
The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data…
It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.
Regarding that method of targeting encryption keys in transit, Gemalto said it had put in place “highly secure exchange processes” before 2010, which explained why the documents noted how the NSA and GCHQ failed to steal the keys for certain Pakistani networks.
The company said that at the time “these data transmission methods were not universally used and certain operators and supplies had opted not to use them,” though Gemalto itself used them as standard practice, barring “exceptional circumstances.” In other words, Gemalto does it right (most of the time) while other suppliers may not have been so cautious.
Gemalto, whose stock price was whacked by last week’s revelations, also said that the attacks could only have affected 2G SIM cards, due to enhanced security measures introduced in 3G and 4G versions. “Gemalto will continue to monitor its networks and improve its processes,” it added. “We do not plan to communicate further on this matter unless a significant development occurs.”
On Tuesday, another SIM card vendor, Germany’s Giesecke & Devrient (G&D), said last week’s report had prompted it to “introduce additional measures to review the established security processes together with our customers.”