“The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened,” Gemalto announced on Wednesday.
The company noted that they, as a digital security company, experience a lot of attacks and that looking back at the period covered by Snowden’s documents, there were two “particularly sophisticated intrusions” that could have been effected by the intelligence agencies.
But they say that these intrusions affected only their office networks, and that SIM encryption keys and other customer data are not stored on those networks. “No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks,” they reassured.
All of this makes them believe that the agencies “chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”
Since well before 2010, Gemalto uses “highly secure exchange processes” when sending and receiving SIM data, they added, but at the same time “these data transmission methods were not universally used and certain operators and suppliers had opted not to use them.”
They also pointed out some discrepancies in the report that indicate that the NSA and GCHQ targeted other parties besides them: targeted operators with whom they didn’t do business with, locations of personalization centers that they didn’t operate at the time, etc.
Finally, they try to reassure that 3G and 4G cards could not have been affected by the attack.
“In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone,” they explained.
“This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms. However, even if the encryption keys were intercepted by the Intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.”
“This known weakness in the original 2G standards was removed with the introduction of proprietary algorithms, which are still used as an extra level of security by major network operators. The security level was further increased with the arrival of 3G and 4G technologies which have additional encryption. If someone intercepted the encryption keys used in 3G or 4G SIMs they would not be able to connect to the networks and consequently would be unable to spy on communications.”