Gemalto reveals GCHQ, NSA failed to crack SIM encryption keys

Gemalto confirmed that UK and U.S. security agencies likely mounted an operation to hack SIM card encryption in 2010 and 2011, but said the attacks failed to get beyond its office networks thanks to a secure encryption key transfer system.

The Amsterdam-headquartered digital security company last week opened a probe into claims by former U.S. NSA contractor Edward Snowden that the agency, along with the UK's GCHQ, conducted a targeted attack designed to breach Gemalto's SIM card encryption keys.

In a statement on Wednesday, Gemalto announced that its investigation confirmed such an attack probably happened, but that the attacks could "not have resulted in a massive theft of SIM encryption keys," as was initially feared.

Gemalto added that the attacks only breached its own office networks, and that the security agencies failed to crack encryption keys because they attempted to breach the keys at the point they are exchanged between mobile network operators. "By 2010, Gemalto had already widely deployed a secure transfer system with its customers and only rare exceptions to this scheme could have led to theft," the company stated.

If GCHQ and the NSA did manage to crack any encryption keys, it was only on 2G networks. "3G and 4G networks are not vulnerable to this type of attack," the company noted.

Gemalto said that its role as a digital security company means there are regular attempts to hack its networks. "These intrusion attempts are more or less sophisticated and we are used to dealing with them," it stated, adding: "Most are not successful while only a few penetrate the outer level of our highly secure network architecture."

An investigation of incidents already logged for 2010 and 2011 identified several attempts to breach Gemalto security that could have been the result of NSA and GCHQ activities, the company said. However, while Gemalto noted the attacks were "serious" and "sophisticated", it said they failed to breach infrastructure running SIM activities or other parts of its secure network that handle products including "banking cards, ID cards or electronic passports."

Gemalto also said its investigation "shows that the NSA and GCHQ targeted numerous parties beyond Gemalto."

Rival SIM manufacturer Giesecke & Devrient (G&D) yesterday said it is taking the reports of attempted encryption hacks "very seriously".

Stefan Auerbach, a member of the G&D Management Board and head of its Mobile Security business unit, said the company introduced "additional measures to review the established security processes" after news of the attempted SIM attacks broke.

The company argued that the security agencies' focus on SIM encryption keys is actually a positive in terms of SIM security. "The SIM card is so secure that in the case revealed recently, even intelligence services preferred to steal the key rather than attack the SIM card."

For more:
- see Gemalto's investigation statement
- view this G&D announcement

Related Articles:
Gemalto pledges to probe claims of NSA, GCHQ SIM encryption breaches
Gemalto says its initial investigation found its SIM cards are 'secure,' despite report of hacking
Leading German telcos face NSA, GCHQ spy probe
TeliaSonera latest to reveal authorities' communication-interception requests
European leaders discuss home-grown comms network to prevent U.S. spying
Deutsche Telekom launches mobile encryption app