Gemalto, the world's biggest SIM card maker, has investigated the NSA's and GCHQ's infiltration of its computers – and says that while the agencies did get into its network, they didn't get in far enough to siphon off phone-call encryption keys.
Files leaked by intelligence whistleblower Edward Snowden appeared to show the US and UK had broken into Gemalto's systems to obtain thousands, if not millions, of secret encryption keys (Ki) which are baked into every SIM – and used to safeguard conversations from eavesdroppers.
In a statement sent to El Reg, the Dutch giant's "investigation into the intrusion methods described in the [Snowden] document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened."
The company reached that conclusion after revisiting records of some cyber-attacks it encountered in those years, which it says were repelled although it did not (or could not) identify the perps at the time.
"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network", the statement continued, adding:
No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.
The attacks therefore "could not have resulted in a massive theft of SIM encryption keys."
This is assuming Gemalto could detect a deep invasion by the likes of the NSA and GCHQ; the spies could have snatched and grabbed the goods without being seen, although the SIM maker isn't saying anything on that.
Gemalto is surprisingly confident that it now knows exactly the scope of the GCHQ/NSA penetration that it didn't detect in the first place.— matt blaze (@mattblaze) February 25, 2015
Even if Western spies had dived deeper into its networks and stolen the vital keys, Gemalto reckons any eavesdropping using the nicked data would have been limited to 2G networks. With much of the world having moved to 3G or 4G, any follow-up snooping would have been hampered, it's alleged.
In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms.
However, even if the encryption keys were intercepted by the intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.
It must be said, 3G and 4G is not widespread in the countries the NSA is interested in, if you believe it really is going after Mid-East terrorists and suchlike. People with short-term 2G SIMs can still be tracked and drone'd very easily in Pakistan, Yemen, Somalia, and beyond.
Back to today's press statement, Gemalto also says the Snowden documents get a few important details wrong. "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen," the statement says.
Another error concerns "a list claiming to represent the locations of our personalization centers" that "shows SIM card personalization centers in Japan, Colombia and Italy." Gemalto denies that it operated such centres in those countries at the time of the alleged hacks.
The corporate retort – issued days after the company's stock plunged – offers more detail on Gemalto's security practices and why they make an attack like that suggested by Snowden's leaked documents unlikely.
The statement is confident, detailed by the standards of such documents and, most importantly, definitive. If it is shown to be substantially wrong, Gemalto just threw its credibility into a black hole – it will come out the other side as reconstituted atoms.
Just what this statement means for Snowden's reputation remains to be seen. ®