Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims.
Yet the IT security industry is not so sure.
Documents leaked by intelligence whistleblower Edward Snowden, and published last Thursday, show that Brit and American spies penetrated Gemalto's computer network and allegedly stole hundreds of thousands, if not millions, of SIM card encryption keys.
At a press conference in Paris on Wednesday the Dutch firm's CEO, Olivier Piou, said that while its office networks were compromised, the servers holding the SIM card encryption keys weren't.
That data was and remains secure, Piou said. The keys are sent out to cell network owners using a "secure transfer system," which should keep the information out of the hands of the spooks.
The firm's confidence has surprised many in the security industry. Six days ago, Gemalto was in the dark on the attacks on its systems. Now it appears to be sure that all is well, which is odd considering most computer forensic examinations take months rather than a week.
Gemalto, a company that operates in 85 countries, has figured out how to do a thorough security audit of their systems in 6 days. Remarkable— Christopher Soghoian (@csoghoian) February 25, 2015
"Gemalto is surprisingly confident that it now knows exactly the scope of the GCHQ/NSA penetration that it didn't detect in the first place," said Matt Blaze, associate professor of computer and information science at the University of Pennsylvania. "Getting compromised by a targeted GCHQ/NSA operation isn't negligent, but underestimating the implications of it is."
Gemalto bosses also said that the SIM keys would only allow the monitoring of 2G communications, and that 3G and 4G calls were secure. Yet that too is under question, not least by assistant research professor Matt Green of Johns Hopkins University in Maryland, US, who described in 2013 how eavesdroppers could crack 3G and 4G calls using stolen SIM Ki keys. (Hint: there's no forward secrecy. And an attacker can force nearby phones to drop down to 2G anyway.)
"No encryption mechanism stands up to key theft, which means Gemalto is either convinced that the additional keys could not also have been stolen or they're saying that their mechanisms have some proprietary 'secret sauce' and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That's a deeply worrying statement," Green told The Intercept in response to Gemalto's statement.
"They are saying that NSA/GCHQ could not have breached those technologies due to 'additional encryption' mechanisms that they don't specify and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys."
Gemalto also quibbled with some of the details in the documents leaked by Snowden, saying it never sold SIM cards to some of the telcos listed (although it doesn't mention indirect sales) and says that "personalisation centers" in Japan, Colombia and Italy don’t exist.
The firm's CEO said at his press conference that the intelligence agencies were probably behind various security breaches detected within his company in 2010 and 2011, but he won't be taking legal action since this is often ineffective.
Following such a quick investigation into the activities of arguably the best state-run, and certainly the best funded, hackers in the world, to give the all clear so soon is unwise – and may say more about the biz's efforts to reassure investors than provide real insight. ®