The world's largest SIM card manufacturer has admitted that US and UK intelligence agencies may have carried out "sophisticated attacks" on its computer systems, potentially allowing the agencies to spy on millions of cell phone users.
French-Dutch digital security company, Gemalto, said in a statement Wednesday it had "reasonable grounds" to believe that the US' National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ) had conducted several attacks, including two "particularly sophisticated attacks" on its networks in 2010 and 2011.
But the company downplayed the hack and denied the mass theft of its mobile phone encryption keys, which are used to secure hundreds of millions of cell phones worldwide. It also claimed the attacks only infiltrated "the outer parts of our networks — our office networks — which are in contact with the outside world."
"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network," the company wrote. "No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks."
The company launched an investigation into the attacks after allegations first surfaced six days ago in documents NSA whistleblower Edward Snowden provided to website The Intercept. The findings of the investigation were published Wednesday.
According to The Intercept, the latest Snowden leaks suggest a digital heist of "staggering" proportions, with NSA and GCHQ operatives working in tandem, and even establishing a joint unit called the Mobile Handset Exploitation Team (MHET).
While Gemalto also makes chips for banking cards, passports, identity cards and drivers' licenses, the operation was allegedly conducted to steal the encryption codes needed to unlock some of the 2 billion SIM cards the company produces a year.
But Gemalto, whose stock price plummeted following the allegations, maintains that, even if the theft occurred, the encryption keys would have been "of limited use." The company claims that this is because the breach would only affect second-generation (2G) SIM cards, which are now largely obsolete, and at that time were mostly used for prepaid cards with "a very short life cycle."
The company also reassured its customers that by 2010, it had already rolled out its secure transfer system, significantly reducing the risk of stolen data.
How Encryption Keys Work
Cell phone conversations are transmitted by radio waves and can be easily monitored. In order to protect them, SIM card manufacturers equip each card with an individual encryption key — a "code" that protects data and prevents eavesdropping.
When law enforcement and intelligence services want to wiretap a suspect, they put in a request to obtain this code with telecom operators. Once the code is handed over, they can monitor all mobile phone communications made on the card, including conversations and text messages.
But with access to millions of stolen encryption keys, the intelligence agencies are essentially able to sidestep the need to seek a warrant to monitor mobile communications with foreign governments and telecoms companies.
Even with the severity of the allegations, Gemalto announced Wednesday it will not be pursuing any legal action against the US or UK governments.
Company spokesman Olivier Piou told reporters in Paris that, "The facts are hard to prove from a legal perspective and the history of going after a state shows it is costly, lengthy and rather arbitrary." He also said that, unlike the UK and the US, France lacked the appropriate legal resources to deal with this type of hack.
Piou added that the company did not know how many encryption codes had been stolen, nor how many had been subsequently used to monitor cell phone communications.
The results of Gemalto's "thorough" six-day investigation has done nothing to allay the concerns of cybersecurity experts who say that intelligence agencies can easily erase traces of their spying activities, and there is little doubt that the company could have been the victim of untraceable hacking.
"It's possible that they only breached [Gemalto's] office network," Matthew Green, a cryptography professor at a Johns Hopkins University, told Motherboard. "But what we know is that these organizations are pretty good at quietly hacking things."
Green also expressed skepticism about Gemalto's claims that the hack only affected its 2G networks, and not the newer 3G and 4G networks.
"Technically I have no idea what they're talking about," he said, adding that the whole purpose of the attacks was to obtain access to encryption keys to unlock 3G and 4G network calls.
"If they're confident that those keys could not have been stolen, then they should explain why," Green added. "Probably this is just 'we don't have any evidence that those keys were stolen.'"
The GCHQ and the NSA have not yet commented on the allegations.
Follow Pierre Longeray onTwitter: @PLongeray
Image via Wikimedia Commons