Spies in your SIM card? After alleged hack by NSA and GCHQ, manufacturer says its SIMs are secure

Graham Cluley

On Thursday last week, The Intercept published its latest exclusive courtesy of NSA whistleblower Edward Snowden.

According to the report, intelligence agencies in the United States and Great Britain joined forces to hack Gemalto, a company which manufactures billions of SIM cards every year, and stole encryption keys used to protect the privacy of communications around the world.

GCHQ slide on Gemalto breach

Gemalto’s customers include 450 mobile telecom operators globally, including Verizon, AT&T and Vodafone.

If the hacking claims are true, GCHQ and the NSA would be able to use the stolen encryption keys “to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.” In other words, no need for a warrant or a wiretap, and no awkward evidence left on a communications provider’s network that communications were snooped upon.

That is, for anyone who cares about privacy, a nightmare scenario with potentially billions of calls, texts and emails vulnerable to covert spying by intelligence agencies.

GCHQ slide

According to Snowden’s documents, the alleged hacking operation took place during 2010 and 2011.

SIM cardsBut today, Gemalto – which also produces ID chips for passports and other technologies – is trying to reassure the public, its partners and investors.

The corporation has today published a short statement saying it will hold a press conference on Wednesday 25 February about its investigation into the alleged hacking, but that it already believes that “Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure.”

A question, clearly, remains. If GCHQ’s slide was accurate in boasting “[we] believe we have their entire network”, how on earth can Gemalto say with any confidence what occurred in 2010/2011? After all, any digital fingerprints that the hackers might have left could have been entirely wiped by the hackers if they truly owned Gemalto’s computer system.

We shouldn’t forget, GCHQ is perfectly prepared to hack innocent, law-abiding companies if they believe that it will help them gather intelligence. Just look what happened at leading telecoms firm Belgacom, for instance.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Spies in your SIM card? After alleged hack by NSA and GCHQ, manufacturer says its SIMs are secure”

  1. I don't understand why in the midst of this big data revelation and whistleblowing they would provide a redacted slide from GCHQ. What's being withheld there?

    1. Snowden was careful to make clear that he would withold information that could CRUCIALLY compromise methods, operations, and personnel.

      Nota Bene: I have put 'crucially' in all-caps. Just in case it wouldn't be noticed.

  2. in this age of murdering b………………. terrists i suppose they have to be 1 step ahead—the risk is haveing info on us all—-its open to curruption human nature as it is

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.