Gemalto announces investigation of massive SIM heist

Yesterday’s report by The Intercept hit the information security community like a ton of bricks, as a set of documents from Edward Snowden’s trove indicate that the US NSA and the UK GHCQ have managed to compromise the networks of Dutch SIM card manufacturer Gemalto and acquire encryption keys that protect the privacy of cellphone communications of millions of users around the globe.

Intelligence agencies in possession of these keys would be able to eavesdrop on voice calls, text messages and Internet activities of users who’s mobile phones work with one of these SIM cards, without the need to break the crypto that protects them and without requiring mobile network operators to give them the required access to do so.

Gemalto is one of the biggest chip makers in the world, and provides them to over 450 wireless network providers around the world, including the US.

The attack, mounted together by the two security agencies, was allegedly successfully executed in 2010, and the attackers managed to hide any evidence of them having been inside the company’s network. Most of the keys were stolen by compromising email accounts of employees of Gemalto and mobile network operators, as the encryption keys for the SIMs are often sent via email or through FTP.

To say that the report shocked Gemalto would be an understatement.

“The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn’t happen again, and also to make sure that there’s no impact on the telecom operators that we have served in a very trusted manner for many years,” Paul Beverly, a Gemalto executive vice president, commented for The Intercept. “What I want to understand is what sort of ramifications it has, or could have, on any of our customers.”

The company has released a statement today saying that they “will devote all resources necessary to fully investigate and understand the scope” of the breach.

“The publication indicates the target was not Gemalto per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” they noted, adding that over the years they have detected and mitigated many types of hacking attempts, but that they currently “cannot prove a link between those past attempts and what was reported yesterday.”

In the meantime, the report has affected the company and its investors deeply, as its shares took a 7.5 percent hit in the wake of the publication of the report.

According to the leaked document, the GCHQ was also preparing to target German SIM card manufacturer Giesecke and Devrient with a similar attack.