Spies in your SIM card? After alleged hack by NSA and GCHQ, manufacturer says its SIMs are secure

On Thursday last week, The Intercept published its latest exclusive courtesy of NSA whistleblower Edward Snowden.

According to the report, intelligence agencies in the United States and Great Britain joined forces to hack Gemalto, a company which manufactures billions of SIM cards every year, and stole encryption keys used to protect the privacy of communications around the world.

GCHQ slide on Gemalto breach

Gemalto's customers include 450 mobile telecom operators globally, including Verizon, AT&T and Vodafone.

If the hacking claims are true, GCHQ and the NSA would be able to use the stolen encryption keys "to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments." In other words, no need for a warrant or a wiretap, and no awkward evidence left on a communications provider's network that communications were snooped upon.

That is, for anyone who cares about privacy, a nightmare scenario with potentially billions of calls, texts and emails vulnerable to covert spying by intelligence agencies.

GCHQ slide

According to Snowden's documents, the alleged hacking operation took place during 2010 and 2011.

SIM cardsBut today, Gemalto - which also produces ID chips for passports and other technologies - is trying to reassure the public, its partners and investors.

The corporation has today published a short statement saying it will hold a press conference on Wednesday 25 February about its investigation into the alleged hacking, but that it already believes that "Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure."

A question, clearly, remains. If GCHQ's slide was accurate in boasting "[we] believe we have their entire network", how on earth can Gemalto say with any confidence what occurred in 2010/2011? After all, any digital fingerprints that the hackers might have left could have been entirely wiped by the hackers if they truly owned Gemalto's computer system.

We shouldn't forget, GCHQ is perfectly prepared to hack innocent, law-abiding companies if they believe that it will help them gather intelligence. Just look what happened at leading telecoms firm Belgacom, for instance.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Jason Shaw

    February 23, 2015 at 4:26 pm #

    I don't understand why in the midst of this big data revelation and whistleblowing they would provide a redacted slide from GCHQ. What's being withheld there?

    • tubeist- dan in reply to Jason Shaw.

      February 23, 2015 at 5:42 pm #

      Snowden was careful to make clear that he would withold information that could CRUCIALLY compromise methods, operations, and personnel.

      Nota Bene: I have put 'crucially' in all-caps. Just in case it wouldn't be noticed.

  2. derek

    February 28, 2015 at 1:49 pm #

    in this age of murdering b………………. terrists i suppose they have to be 1 step ahead—the risk is haveing info on us all—-its open to curruption human nature as it is

Leave a Reply