Sign in

Gemalto: NSA, GCHQ hacked us – but didn't snatch crucial SIM keys

'Investigation' admits to attacks, but says phone crypto secrets stayed secure

Simon Sharwood Wed 25 Feb 2015 // 08:00 UTC

Gemalto, the world's biggest SIM card maker, has investigated the NSA's and GCHQ's infiltration of its computers – and says that while the agencies did get into its network, they didn't get in far enough to siphon off phone-call encryption keys.

Files leaked by intelligence whistleblower Edward Snowden appeared to show the US and UK had broken into Gemalto's systems to obtain thousands, if not millions, of secret encryption keys (Ki) which are baked into every SIM – and used to safeguard conversations from eavesdroppers.

In a statement sent to El Reg, the Dutch giant's "investigation into the intrusion methods described in the [Snowden] document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened."

The company reached that conclusion after revisiting records of some cyber-attacks it encountered in those years, which it says were repelled although it did not (or could not) identify the perps at the time.

"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network", the statement continued, adding:

No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.

The attacks therefore "could not have resulted in a massive theft of SIM encryption keys."

This is assuming Gemalto could detect a deep invasion by the likes of the NSA and GCHQ; the spies could have snatched and grabbed the goods without being seen, although the SIM maker isn't saying anything on that.

Even if Western spies had dived deeper into its networks and stolen the vital keys, Gemalto reckons any eavesdropping using the nicked data would have been limited to 2G networks. With much of the world having moved to 3G or 4G, any follow-up snooping would have been hampered, it's alleged.

Gemalto claimed:

In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms.

However, even if the encryption keys were intercepted by the intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.

It must be said, 3G and 4G is not widespread in the countries the NSA is interested in, if you believe it really is going after Mid-East terrorists and suchlike. People with short-term 2G SIMs can still be tracked and drone'd very easily in Pakistan, Yemen, Somalia, and beyond.

Back to today's press statement, Gemalto also says the Snowden documents get a few important details wrong. "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen," the statement says.

Another error concerns "a list claiming to represent the locations of our personalization centers" that "shows SIM card personalization centers in Japan, Colombia and Italy." Gemalto denies that it operated such centres in those countries at the time of the alleged hacks.

The corporate retort – issued days after the company's stock plunged – offers more detail on Gemalto's security practices and why they make an attack like that suggested by Snowden's leaked documents unlikely.

The statement is confident, detailed by the standards of such documents and, most importantly, definitive. If it is shown to be substantially wrong, Gemalto just threw its credibility into a black hole – it will come out the other side as reconstituted atoms.

Just what this statement means for Snowden's reputation remains to be seen. ®

39 Comments

Similar topics

Other stories you might like

  • AI algorithms uncannily good at spotting your race from medical scans, boffins warn

    Plus: British MP wants to ban AI deepfake smut tools
    Katyanna Quach Sun 8 Aug 2021 // 11:01 UTC

    In brief Neural networks can correctly guess a person’s race just by looking at their bodily x-rays and researchers have no idea how it can tell.

    There are biological features that can give clues to a person’s ethnicity, like the colour of their eyes or skin. But beneath all that, it’s difficult for humans to tell. That’s not the case for AI algorithms, according to a study that’s not yet been peer reviewed.

    A team of researchers trained five different models on x-rays of different parts of the body, including chest and hands and then labelled each image according to the patient’s race. The machine learning systems were then tested on how well they could predict someone’s race given just their medical scans.

    Continue reading

  • SpaceX Starship struts its stack to show it has the right stuff

    Combined with its Super Heavy booster, Starship stood briefly as the tallest rocket yet
    Thomas Claburn in San Francisco Sat 7 Aug 2021 // 10:26 UTC

    The Jeff Bezos-bearing Blue Origin New Shepard rocket elicited attention for its shape when it launched last month.

    On Friday, rival billionaire Elon Musk's SpaceX Starship made a show of its size.

    SpaceX stacked its Starship SN20 upper-stage atop the company's Super Heavy booster at its facility in Boca Chica, Texas, to test the fit of the two components that together made the largest rocket ever built.

    Continue reading

  • Amazon delays return to office work until 2022 at the earliest

    Other Big Tech companies, however, still want workers in this autumn
    Katyanna Quach Fri 6 Aug 2021 // 21:04 UTC

    Amazon has delayed staff returning to its offices around the world from September this year to January 2022, as the Delta variant of the novel coronavirus continues to spread.

    “As we continue to closely watch local conditions related to COVID-19, we are adjusting our guidance for corporate employees in the U.S. and other countries where we had previously anticipated that employees would begin coming in regularly the week of Sept. 7,” the online bazaar said on Thursday. “We are now extending this date to Jan. 3, 2022. Our return-to-office timeline will vary globally in accordance with local conditions.”

    The pandemic has changed the way we work. Gone are the days where we need to commute into the office and work at our desks next to our colleagues. Recent surveys show that most people prefer working from home and don’t want to go back to the office much, if at all.

    Continue reading

  • All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability

    Security researchers found they could snoop on dynamic DNS traffic
    Thomas Claburn in San Francisco Fri 6 Aug 2021 // 19:34 UTC

    Until February this year, Amazon Route53's DNS service offered largely unappreciated network eavesdropping capabilities. And this undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider.

    In a presentation earlier this week at the Black Hat USA 2021 security conference in Las Vegas, Nevada, Shir Tamari and Ami Luttwak from security firm Wiz, described how they found a DNS name server hijacking flaw that allowed them to spy on the dynamic DNS traffic of other customers.

    "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," explained Tamari in a blog post. "Essentially, we 'wiretapped' the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices."

    Continue reading

  • Foxconn buys chip factory off Macronix in bid to break into the electric vehicle market

    Electronics giant must conquer its supply chain as US eyes domestic production
    Laura Dobberstein Fri 6 Aug 2021 // 15:37 UTC

    Taiwanese electronics giant Foxconn has purchased a chip plant for $90.8m from its compatriot, Macronix International.

    "Macronix is pleased to see the subject 6-inch wafer fab continue to make its contribution to Taiwan as Foxconn commits to have the fab be used as an important base for Foxconn to reinforce its semiconductor development plan and to meet the demand of electric vehicles," said Miin Wu, chairman and CEO of Macronix, in a canned statement on Foxconn's website.

    The sales agreement includes Macronix's 6-inch wafer fab and equipment, but no employees, in Taiwan's Hsinchu Science Park and is planned to close by the end of 2021.

    Continue reading

  • THX Onyx: A do-it-all DAC for the travelling audiophile

    Hi-res, MQA, DSD, supports Apple Music's highest quality – but is it worth the hassle?
    Tim Anderson Fri 6 Aug 2021 // 14:27 UTC

    Review Apple introduced hi-res lossless audio to its music service last month, but third-party hardware is required to enjoy it – if indeed the difference is audible. We took a look at the THX Onyx, a portable DAC and headphone amplifier that claims to be just the thing.

    There is a strange cocktail of ingredients that flavours the music and audio industry. There is a drive towards greater convenience, which means streaming music and true wireless, as popularised by Apple's Bluetooth-driven AirPods, first introduced in September 2016. Then there is a push towards higher quality, with vendors touting higher resolution such as 24-bit 192kHz digital, or exotic formats such as DSD (Direct Stream Digital), MQA (Master Quality Authenticated) – all of which are supported by the THX Onyx – and Dolby Atmos/Spatial audio, which is a new approach to surround sound.

    These two demands sometimes pull in opposite directions. Streaming audio has largely meant lossy compression, formats such as MP3 and AAC (Advanced Audio Coding), which reduce data size by omitting parts of the signal that are inaudible or hardly audible. Wireless has largely meant Bluetooth audio, for which none of the available codecs are lossless. Lossy compression at levels like Apple's 256 Kbps AAC is excellent and not an issue for most people yet there remains the nagging annoyance that it is potentially compromising quality for the sake of convenience and efficiency.

    Continue reading

  • Does the world need another cross-platform framework? Tough, here's JetBrains with Compose Multiplatform

    'A different way of thinking about applications' says project lead
    Tim Anderson Fri 6 Aug 2021 // 13:32 UTC

    An open-source Kotlin framework for cross-platform applications, based on Jetpack Compose for Android, is now in preview.

    Google's Jetpack Compose is an official framework for building a user interface in an Android application, and reached version 1.0 last week, at the same time as the first stable release of Android Studio, 2020.3.1 or "Arctic Fox".

    Despite only just hitting 1.0, Google said: "There are already over 2,000 apps in the Play Store using Compose – in fact, the Play Store app itself uses Compose."

    Continue reading

  • Your Computer Is On Fire, but it will take much more than this book to put it out

    Detailed diagnosis of tech industry delusion falls short of prescribing a cure
    Lindsay Clark Fri 6 Aug 2021 // 12:32 UTC

    Book review Seasoned industry watchers will welcome Your Computer Is on Fire as a thorough and unflinching debunking of Big Tech's outlandish self-mythologising. They might even hope that governments, business, and the media organisations who buy into the barrage of propaganda start to ask a few important questions. But there are limits to this niche text that is at times prone to academic navel-gazing.

    In the 1990s, despite the outward differences between the industry big guns, the background hum was the same. The internet offered opportunity for all, ecommerce could lead to frictionless economics, software made people more productive, and companies more competitive. Such delusions survived the dotcom crash and financial crisis then re-emerged in the early days of social media as the Arab Spring became a use case for the positive impact of Twitter and Facebook. Together with that movement's difficult development, the nefarious exploitation of social media user data that contributed to the election of US presidential regime with ever-so-slightly insurrectionist tendencies should have given pause for thought.

    It's a wonder, then, that tech industry propaganda has barely shifted. Instead, it's a case of different tech, same tune. Last month, Google CEO Sundar Pichai told the BBC that AI would be the "most profound technology" that humanity will ever develop. Similarly, UK Cabinet Office minister Julia Lopez adopted industry language when she said that "now, more than ever, digital must be front and centre of government's priorities to meet user needs."

    Continue reading

  • Flushing roulette: Southern Water installing digital sewer monitors to prevent blockages

    Plan to deal with fatbergs NOT related to that £90m fine for dumping effluent into sea on England's south coast
    Paul Kunert Fri 6 Aug 2021 // 11:34 UTC

    Where's there's muck there's brass, and there won't be many places more mucky than a sewer system as bidders for a network digitalisation contract in southern England are about to rediscover.

    According to a tender published this week, Southern Water is wading through the market to sniff out a supplier to "significantly and rapidly improve the visibility of the gravity wastewater network."

    "We plan to achieve this by installing 10,000's (up to 30,000 across Kent, East and West Sussex, Hampshire and the Isle of Wight) of sewer monitors and developing in parallel the associated analytics to make appropriate and effective use of the additional information to prevent sewer blockages developing into a pollution or flooding incident," the document states.

    Continue reading

  • Hey, AI software developers, you are taking Unicode into account, right ... right?

    Here's how to switch around account numbers, slip past moderation, and mix up names in production-level models
    Katyanna Quach Fri 6 Aug 2021 // 10:31 UTC

    Analysis Computer scientists have detailed ways in which AI language systems – including some in production – can be hoodwinked into making bad decisions by text containing unseen Unicode characters.

    Account numbers can be switched around, recipients of transactions changed, and comment moderation bypassed by special hidden characters, we're told. And it is claimed software built by Microsoft, Google, IBM, and Facebook can be potentially fooled by carefully crafted Unicode.

    The issue is that ambiguity or discrepancies can be introduced if the machine-learning software ignores certain invisible Unicode characters. What's seen on screen or printed out, for instance, won't match up with what the neural network saw and made a decision on. It may be possible abuse this lack of Unicode awareness for nefarious purposes.

    Continue reading

  • Q: Post-lockdown, where would I like to go? A: As far away from my own head as possible

    About 238,855 miles would do the trick
    Alistair Dabbs Fri 6 Aug 2021 // 09:27 UTC

    Something for the Weekend, Sir? More good news for Team GB's Tokyo Games medal winners: you're going to the Moon.

    This is true because I read it. It was in a press release sent to me this week. "Olympic Medalists Get Free Ticket to the Moon," it says. That is going to be one expensive flight, with more than 50 medals awarded to Brits so far, and the Paralympics yet to begin.

    Unless… yep, here it comes in the first sentence. "LifeShip Inc. today announced they will be sending Olympic and Paralympic gold, silver, and bronze medalists' DNA to the Moon for free."

    Continue reading

Biting the hand that feeds IT © 1998–2021

Do not sell my personal information Cookies Privacy Ts&Cs