Gemalto admits to NSA/GCHQ breach

February 25, 2015 // 11 a.m.

Tags: #cryptography #edward-snowden #encryption #gsm #privacy

Companies: #gchq #gemalto #nsa

SIM-card maker Gemalto has denied claims that a team of spies from the US National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) have made off with millions of encryption keys from its network, while admitting to having evidence of a breach.

Documents leaked last week by notorious whistleblower Edward Snowden claimed that a joint UK/US task-force had penetrated Gemalto's network in order to steal SIM card encryption keys. These keys would then be used to allow security agencies to monitor all mobile communications without having to approach the mobile networks directly, and to decrypt previously-captured encrypted traffic. With Gemalto being the world's largest producer of SIM cards and millions of customers being affected by the breach, the documents pointed towards one of the biggest security breaches of modern times.

Gemalto has now published the findings of its investigations into the claims, and while the company admits to have found evidence to support multiple NSA/GCHQ intrusions into its network it claims that the SIM card encryption keys are safe. 'These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world,' the company claims in the report. 'The SIM encryption keys and other customer data in general, are not stored on these networks.

'While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
'

The company further claims that 'highly secure exchange processes' which were in place long before the claimed intrusions mean that theft of the keys during transit was unlikely, although admits that 'these data transmissions were not universally used and certain operators and suppliers had opted not to use them' when the breach took place, describing its non-use as only likely to occur in 'exceptional circumstances.'

Gemalto's report also highlights some inconsistencies in the leaked documents, including four of the twelve listed operators having never been Gemalto customers, three of the listed personalisation centres - where the encryption keys are burned onto the SIM cards - having not existed at the time of the alleged breaches, and a table which suggests that only two per cent of the encryption keys were obtained through attacks on SIM suppliers like Gemalto.

The company concludes its findings by saying that it will 'continue to monitor its networks and improve its processes,' while indicating that this will be the last it has to say on the matter 'unless a significant development occurs.'

Gemalto's full statement can be found on the company's official website.
Discuss this in the forums

QUICK COMMENT

Week in review

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU