The world's largest SIM card manufacturer Gemalto has been in the center of the storm ever since new documents leaked by Edward Snowden revealed that American and British spies had stolen thousands of encryption keys from the company—a heist that potentially gave them the ability to listen in on the calls of millions of cellphone users.
But despite all the attention, Gemalto is probably not the only SIM card maker targeted and hit by the NSA and GCHQ. The Snowden documents themselves reveal that Gemalto wasn't alone.
One of the documents specifically names Gemalto's main competitor, Giesecke and Devrient, or G&D, as a future target. Yet another one mentions Bluefish, a smaller SIM card maker, as an example of a "SIM card" provider targeted in the operation.
"The most interesting part to take away now is that this is proof of [the NSA's] abilities," Matt Suiche, a French security researcher, told Motherboard. "If X was vulnerable to them, it means that Y, Z [were vulnerable] too."
"If X was vulnerable to them, it means that Y, Z [were vulnerable] too."
Gemalto itself appeared to confirm this in an overlooked part of its press release, where the company said that it "never sold" SIM cards to "four of the twelve" cellphone operators listed in the Snowden documents. In other words, four of the 12 operators the NSA documents listed as compromised were getting their SIM cards from other companies other than Gemalto.
This twelve operators were listed in a table detailing the overall number of encryption keys (or "Kis"), which are designed to protect phone calls from eavesdroppers, stolen during a three-month trial from January to March 2010.
Gemalto only identified one of those four, the Somali carrier that got 300,000 encryption keys stolen by the NSA and GCHQ joint Mobile Handset Exploitation Team (MHET). The company declined to name the other three in an email to Motherboard.
"We have no additional statements or details besides what is in the press release," Gemalto spokesperson Nicole Williams said.
So Gemalto isn't talking, and other SIM card makers also aren't too eager to solve this mystery.
When we reached out to G&D, whose motto is "creating confidence," with a detailed list of questions, but a company spokesperson ignored them and replied with its own FAQ-style list of inquiries.
"There is no indication that we have been subject to anything similar to the incident at Gemalto," Stefan Auerbach, a spokesperson for G&D, wrote in the email, without specifying if the company had undertaken any kind of investigation to make sure its Kis had not been stolen like in the case of Gemalto.
"We transmit data to our customers in close collaboration with them," Auerbach wrote, answering one of his own questions on how G&D transmits data to its customers. "We use current security technologies to this end but trust you will understand that we cannot share information about concrete transmission methods or specific customer situations—especially in view of existing confidentiality agreements."
When asked whether G&D sold to any of the 12 countries listed in the Snowden documents, Auerbach didn't answer.
Apparently, other companies are choosing to stay silent too.
"I am afraid we will not comment," a spokesperson for Oberthur, a French SIM card maker, told Motherboard.
Bluefish, which was specifically mentioned in the documents, did not answer an email seeking comment. We also didn't hear back from Oasis, another SIM card provider based in Singapore and founded in 2010, as well as STMicroelectronics and Morpho (these companies were not mentioned in the Snowden documents).
In other words, don't expect this mystery to be solved anytime soon.
UPDATE 03/03/01, 09:23 a.m.: A spokesperson for Infineon responded to Motherboard's inquiries after the publication of this article, saying that the company is "not involved in the process related to mobile communication key generation or distribution," since the company is not a SIM card manufacturer but only provides "raw chips" to SIM card manufacturers.