Top SIM card maker Gemalto has conducted an investigation into the NSA's and GCHQ's infiltration of its computers, and says while the agencies did get into its network, they didn't get in far enough to siphon out crucial phone-call encryption keys.
Files leaked by intelligence whistleblower Edward Snowden appeared to show the US and UK had broken into Gemalto's systems to obtain thousands, if not millions, of secret encryption keys (Ki) which are baked into every SIM – and used to safeguard conversations from eavesdroppers.
The company reached that conclusion after revisiting some cyber-attacks it encountered in those years, which it says were repelled although it did not (or could not) identify the perps.
"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network", the statement continued, adding:
No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.The attacks therefore "could not have resulted in a massive theft of SIM encryption keys." This is assuming Gemalto could detect a deep invasion by the likes of the NSA and GCHQ; the spies could have snatched and grabbed without being seen, although the SIM maker isn't saying anything on that.
And even if Western spies had been able to get deeper into its networks and stolen the vital keys, Gemalto reckons any eavesdropping using the nicked data would have been limited to 2G networks. With much of the world having moved to 3G or 4G, any follow-up snooping would have been hampered, it's alleged.
In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms.(To be fair, 3G and 4G is not widespread in the countries the NSA is interested in, if you believe it really is going after Mid-East terrorists and suchlike. Tracking a target for six months on 2G is more than enough for the Five Eyes alliance; people can be drone'd by their SIM card very easily in Pakistan, Yemen, Somalia, and beyond.)
However, even if the encryption keys were intercepted by the intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.
Back to today's press statement, Gemalto also says the Snowden documents get a few important details wrong. "Gemalto has never sold SIM cards to four of the twelve operators listed in the documents, in particular to the Somali carrier where a reported 300,000 keys were stolen," the statement says.
Another error concerns "a list claiming to represent the locations of our personalization centers" that "shows SIM card personalization centers in Japan, Colombia and Italy." Gemalto denies that it operated such centres in those countries at the time of the alleged hacks.
The corporate retort – issued days after the company's stock plunged – offers more detail on Gemalto's security practices and why they make an attack like that suggested by Snowden's leaked documents unlikely.
The statement is confident, detailed by the standards of such documents and, most importantly, definitive. If it is shown to be substantially wrong, Gemalto just threw its credibility into a black hole – it will come out the other side as reconstituted atoms.
Just what this statement means for Snowden's reputation remains to be seen.