Establishing Digital Trust: Don't Sacrifice Security for Convenience
In response to a recent report by The Intercept claiming that the U.K. and U.S. governments hacked into Gemalto's computer network and stole SIM card encryption keys, Gemalto has announced that it's "devoting the necessary resources to investigate and understand the scope of such sophisticated techniques."
"Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure," the company added.
The Intercept's report stated that the breach was perpetrated in 2010 by the Mobile Handset Exploitation Team (MHET), a joint unit consisting of operatives from the U.S. National Security Agency (NSA) and the U.K. Government Communications Headquarters (GCHQ).
The access the two agencies allegedly obtained gave them the ability to monitor a broad range of voice and data communications. "Gemalto -- successfully implanted several machines and believe we have their entire network," a GCHQ document obtained by the Intercept states.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Gaining access to a database of keys is pretty much game over for cellular encryption," Johns Hopkins University Information Security Institute (JHUISI) cryptography specialist Matthew Green told The Intercept.
On February 20, 2015, Gemalto noted, "The [Intercept] indicates the target was not Gemalto per se -- it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators' and users' consent."
"We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation," Gemalto added.
The company stated that it is "especially vigilant against malicious hackers, and has detected, logged and mitigated many types of attempts over the years. At present we cannot prove a link between those past attempts and what was reported yesterday."
Gemalto executive vice president Paul Beverly told The Intercept, "I'm disturbed, quite concerned that this has happened. The most important thing for me is to understand exactly how this was done, so we can take every measure to ensure that it doesn't happen again, and also to make sure that there's no impact on the telecom operators that we have served in a very trusted manner for many years."
"What I want to understand is what sort of ramifications it has, or could have, on any of our customers," Beverly added.
Gemalto is planning to hold a press conference on Wednesday, February 25, 2015 to announce the results of its investigations into the issue.