PARIS: Gemalto SIM card manufacturer says it’s likely that US and UK spies hacked its systems in a bid to attack the privacy of billions of mobile phone users but sought to downplay the consequences.
CEO Oliver Piou told a news conference in Paris that while a NSA and GCHQ hack “probably happened”, the agencies would have only been able to access 2G systems and not been able to spy on 3G and 4G networks. It added that theft would have been rare after 2010 when it deployed a “secure transfer system”.
Dutch firm Gemalto which supplies SIM cards to Telstra, Optus and Vodafone, was responding to allegations that U.S and UK spy agencies NSA and GCHQ had hacked the company between 2010 and 2011 and cyber stalked employees.
Gemalto, which produces nearly 2 billion SIM cards each year, said any attack “could not have resulted in a massive theft of SIM encryption keys”, thereby allaying fears of a large-scale SIM recall that would have affected countries across the globe, including Australia.
The company also said the spy agency hacks only affected “the outer parts of our networks our office networks which are in contact with the outside world.”
As The Wall Street Journal reported, executives acknowledged that data transfers between customers and Gemalto could have been intercepted, but the company said it believes that only happened in “exceptional” cases such as tests, when it wasn’t using its usual secure system to transfer keys.
“It’s difficult to say how many,” Mr. Piou said of the number of potential interceptions. They know it’s very few.
Mr Piou said he had not bothered to contact US or British intelligence agencies to confront them about the allegations because doing so would have been a “waste of time”. He also confirmed the firm wouldn’t take legal action.
“The facts are hard to prove from a legal perspective and the history of going after a state shows it is costly, lengthy and rather arbitrary,” Mr Piou said.
China has also weighed in, saying it was concerned about the reported hack. Gemalto provides SIM cards for China Mobile Ltd. the world’s largest carrier by subscribers.
“We are opposed to any country attempting to use information technology products to conduct cyber surveillance,” China Foreign Ministry spokesman Hong Lei said at a daily press briefing. “This not only harms the interests of consumers but also undermines users’ confidence.”
The Intercept hasn’t backed down however, with reporter Jeremy Scahill writing Gemalto “made erroneous statements about cell phone technology and sweeping claims about its own security that experts describe as highly questionable.”
Matthew Green, a Johns Hopkins cryptography specialist, said Gemalto’s claims are flatly incorrect.
“No encryption mechanism stands up to key theft,” Green said, “which means Gemalto is either convinced that the additional keys could not also have been stolen or they’re saying that their mechanisms have some proprietary ‘secret sauce’ and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That’s a deeply worrying statement.”
“I think you could make that statement against some gang of Internet hackers,” Mr Green told The Intercept. “But you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”
Before the Gemalto announcement Telstra had said it was in contact with the company and would work with it to address any issues identified. “Telstra takes customers privacy and security very seriously,” a spokesperson told the news outlet.
“SIM card encryption is just one of multiple ways Telstra secures our network and the communications of our customers.” It’s unclear what percentage of SIM cards used by Telstra, Optus and Vodafone were manufactured by Gemalto, though Telstra described the company as a “significant supplier”.