Gemalto has published the results of its one-week investigation into the claims of a report by The Intercept that its subscriber identity module (SIM) cards, purchased by more than 450 wireless carriers around the globe, including Verizon, AT&T, Sprint, and T-Mobile, have been breached by the United Kingdom's Government Communication Headquarters (GCHQ) with assistance from the National Security Agency (NSA).
The Netherlands-based digital security company, which owns majority of the SIM card industry, says it has "reasonable grounds to believe that an operation by NSA and GCHQ probably happened." However, Gemalto says although two breaches that took place in 2010 were far more sophisticated than the regular hacks that are targeted at its "highly secure network architecture," it maintains that the section that contained the encryption keys to its millions of SIM cards remains untouched.
Gemalto's investigation comes a week after The Intercept published documents leaked by NSA whistleblower Edward Snowden detailing how the U.K. and U.S. intelligence agencies were able to gain access to the Gemalto network and pilfer off with the over-the-air (OTA) encryption keys to its SIM cards, which are typically used by mobile carriers to deliver software updates to their subscribers. If any software delivered to the SIM card contains the key, whether it is an official update from the mobile carrier or a spyware, the SIM card will automatically authorize the software regardless of where it came from, allowing surveillance agencies to listen in on calls and data activities.
"It's scary," says researcher Claudio Guarnieri. "If the NSA and GCHQ have obtained a large quantity of OTA keys, we're facing the biggest threat to mobile security ever."
But Gemalto maintains its SIM cards are safe. According to the company, its network is "like a cross between an onion and an orange." It has several layers and segments that serve to isolate different types of information contained in one section from the others. The network's section that contains the SIM keys, Gemalto says, is separate from the office network that was breached in 2010.
The first breach, which took place in June 2010, was discovered on its French websites, where Gemalto says it discovered suspicious activity that it was able to counter immediately. This was followed a month after by spoof emails sent to customers purportedly from Gemalto employees. Gemalto says it was unable to identify the perpetrators of the attacks at that time, but it now believes that it could have been the GCHQ and the NSA.
"While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network," says Gemalto in its report. "No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards, or electronic passports."
However, security experts believe Gemalto's "thorough" investigation was put in a hasty attempt to downplay The Intercept's report. A week is not enough to scour the network for far more covert activities, especially given the technical prowess of the surveillance agencies, they say.
"Do they know the truth? Do they seriously believe they can conduct an investigation uncovering the truth in less than a week?" says Dr. Philipp Weinmann, head of security research firm Comsecuris. "This is a rush job to placate shareholders. Hopefully, they will keep investigating."
Moreover, Gemalto's assertion that most of its SIM cards were not vulnerable to spying because most people use 3G and 4G LTE, which use a new encryption standard not available in 2G, is being challenged. Gemalto says that SIM cards using old 2G technology provided little service to surveillance agencies, since most of them are prepaid SIM cards that are used only for a short period of time, around three to six months.
Phil Kernick, chief technology officer of Australian CQR Security firm, says this claim is "disingenuous" since hackers can easily bombard mobile towers and force 4G and 3G back to a 2G connection.
"3G and 4G SIMs have 2G fallback so if you go into a train tunnel or go out into the bush you may find that your phone goes from 4G to 3G, which is 'edge,' that means it's fallen back to 2G, which means that it's just as vulnerable as any 2G SIM," he tells the Sydney Morning Herald. "[3G and 4G] are inherently better but if someone's gone in and stolen the keys to the kingdom, it makes no difference."