Wednesday, February 25, 2015

Gemalto denies 'massive theft' of SIM card encryption keys by NSA and GCHQ

Digital security vendor Gemalto revealed its findings today following last week's report of an incursion by the NSA and the GCHQ into the vendor's SIM card encryption keys. While Gemalto noted that an operation by NSA and GCHQ "probably happened" in 2010 and 2011, the intrusion could not have resulted in a "massive theft" of SIM card encryption keys as the breach affected the company's office network and not its secure networks.

Gemalto mentioned that the SIM card encryption keys were not stored in the networks that were breached:

These intrusions only affected the outer parts of our networks – our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.

Access to the keys would have allowed the US and UK government agencies the ability to listen in on phone conversations and install malware on any Gemalto-issued SIM card. With an annual production of 2 billion SIM cards and association with most major carriers in the world including US carriers such as AT&T, Sprint, and Verizon, any security breach at the vendor would have global consequences. Here's what Gemalto found in its investigation into the hack:

  • ​​​​The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened

  • The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys

  • The operation aimed to intercept the encryption keys as they were exchanged between mobile operators and their suppliers globally. By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft

  • In the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable to this type of attack

  • None of our other products were impacted by this attack

  • The best counter-measures to these type of attacks are the systematic encryption of data when stored and in transit, the use of the latest SIM cards and customized algorithms for each operator

According to Gemalto, even if the SIM card encryption keys were stolen, it would have resulted in the US and UK intelligence networks spying on 2G networks, making most users in developed countries prone to intrusion by covert agencies. However, The Intercept – the publication that first broke the news of the hack – noted that the target countries for the NSA and GCHQ's spying activities included Afghanistan, Iceland, India, Iran, Pakistan, Serbia, Somalia, Serbia,Tajikistan and Yemen, where 2G networks are still the norm. Gemalto stated that its secure data transfer system was in use at that time, which would have deterred hackers from gaining access to the encryption keys.

Head to the link below to read all of Gemalto's findings.

Source: Gemalto








No comments:

Post a Comment