Gemalto says its initial investigation found its SIM cards are 'secure,' despite report of hacking

SIM-card giant Gemalto said that its initial probe has indicated that its products are "secure" following a report that American and British spies hacked into its system and compromised the security of millions of SIM encryption keys.

"Initial conclusions already indicate that Gemalto SIM products (as well as banking cards, passports and other products and platforms) are secure and the Company doesn't expect to endure a significant financial prejudice," the company said in a brief statement.

Gemalto said it will provide the full report of its investigation via a press release and press conference in Paris on Feb. 25. The company did not provide details of how it is conducting its investigation other than to say that it is "devoting the necessary resources to investigate and understand the scope of such sophisticated techniques."

The Intercept reported last week that, according documents provided by former National Security Agency analyst Edward Snowden, the NSA and its British counterpart, Government Communications Headquarters, or GCHQ, penetrated Gemalto's internal computer systems. The report said that the spy agencies harvested encryption keys for SIM cards so that they could secretly monitor cellular voice and data traffic. That would have allowed the agencies to bypass the need to get permission from carriers or governments to wiretap intelligence targets' communications.

A GCHQ document said during a three-month period in 2010 the spy agencies were able to harvest millions of keys, and that as of 2009, the NSA had the capability to process between 12 and 22 million keys per second. However, the report notes that to date it is impossible to determine how many encryption keys for SIM cards have been stolen, but that "even using conservative math, the numbers are likely staggering."

Verizon Wireless (NYSE: VZ), AT&T Mobility (NYSE: T), Sprint (NYSE: S), T-Mobile US (NYSE:TMUS) and around 450 other wireless carriers around the world are among Gemalto's customers. Gemalto produces around 2 billion SIM cards per year.

Japanese carrier NTT DoCoMo is looking into whether the security of its customers has been compromised, according to Reuters. The operator started using SIM card produced by Gemalto in 2001, DoCoMo spokesman Takashi Itou told Reuters. He declined to say how heavily the company relies on Gemalto for its SIM cards. "We will consider any necessary steps based on the results of our investigation," Itou said.

For more:
- see this Gemalto statement
- see this The Verge article
- see this TechCrunch article
- see these two separate Reuters articles

Related Articles:
Gemalto launches probe after report claims NSA, GCHQ hacked its system to steal SIM card encryption keys
Researcher says up to 750M phones may be vulnerable to SIM card security flaw
Wickr, secure messaging startup, aims to power encrypted communications for Facebook and financial transactions
T-Mobile upgrades to A5/3 encryption on parts of GSM network in attempt to thwart eavesdropping
Apple's Cook meets with Chinese vice premier following report of iCloud hack in China
FBI director says cell phone data must be available for law enforcement

Sponsored By VIAVI Solutions

O-RAN: an Open Ecosystem to Power 5G Applications

NEMs and operators worldwide are adopting O-RAN to lower the barrier to entry for new product innovation and to reduce infrastructure deployment costs. Read this paper to learn about O-RAN, related standards initiatives, and the developing ecosystem.