Last week, The Intercept detailed a GCHQ campaign that compromised Gemalto's system to harvest and store the encryption keys that protect SIM cards. Once successful, the program would have allowed intelligence agencies to decrypt cell phone signals in mid-air or implant malware remotely into any phone with a Gemalto SIM card. Gemalto is the largest SIM card maker on the planet — it manufactures 2 billion SIM cards a year for more than 450 wireless carriers across the world, including AT&T, Sprint, and Verizon. Any compromise would have global implications.
Today, Gemalto presented the findings of its investigations into the alleged hackings. While the manufacturer says it has reasonable grounds to believe that an operation by NSA and GCHQ "probably happened," the company claims that the attacks only breached its office networks, and "could not have resulted in a massive theft of SIM encryption keys."
Gemalto says the spy networks "could not" have stolen a massive number of its SIM encryption keys
The Intercept says that operations orchestrated by spy networks to obtain the encryption keys took place between 2010 and 2011, the same two years that Gemalto identified "two particularly sophisticated intrusions." But Gemalto says that by that time, it had already "widely deployed a secure transfer system," that made obtaining the keys difficult, claiming that "only rare exceptions to this scheme could have led to theft." If those rare cases were to occur, Gemalto says GCHQ and the NSA would only be able to spy on communications sent over old 2G networks anyway — 3G and 4G connections are not vulnerable to the method of attack the agencies would be using.
Last week's report claims that attacks were aimed at mobile operators in Afghanistan, Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and Tajikistan. In the case of Pakistan, The Intercept's documents say that the method of interception the attackers were using failed to produce results. Gemalto says its highly secure data exchange method, which it claims prevents attackers from being able to collect keys, was live in the country at the time.
Spy agencies reportedly targeted several groups for SIM data
The Intercept's report focuses on Gemalto as the source of what it calls "massive key theft," but the company says that it was one of several parties targeted by GCHQ and the NSA for the collection of SIM data. "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents," it says, making specific reference to a Somali carrier it has never done business with from whom 300,000 keys were reportedly stolen. Another document showed a list of personalization centers in Japan, Colombia, and Italy — countries in which Gemalto says it had no such centers at the time.
Instead, Gemalto says that were there indeed a "massive theft" of SIM encryption keys, the blame is more likely to fall away from SIM suppliers such as itself. The company claims its encryption methods were strong enough to ward off the reported attacks from international spy agencies, but points out that in The Intercept's documents, only two percent of the 1,719 exchanges of encryption keys came from SIM suppliers. The remaining 98 percent came from other groups.