Gemalto Confirms NSA Hack (But Says Mass Encryption Key Theft Didn’t Happen)

The world’s biggest maker of SIM cards for mobile phones, Gemalto, confirmed in an early AM press conference that it has “reasonable grounds” to believe that the NSA and GCHQ hacked its network in 2010-2011.  The Dutch firm went on to note that while the hack breached Gemalto’s office networks, it “could not have resulted in a massive theft of SIM encryption keys.”  Gemalto further noted that even had encryption keys been stolen, the government involved would only have picked up the ability to spy on generation 2G mobile networks, as 3G and 4G networks are not vulnerable to that sort of attack.

Gemalto further noted that though (given the nature of their business) they are frequently a target for digital attackers, they can confirm that in 2010 and 2011 they were the victims of a cyberattack that was particularly sophisticated and consistent with a state sponsored incursion into their computers.

“At the time we were unable to identify the perpetrators, but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys, and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data,” Gemalto noted in a statement released on their investigation of the event.

That statement accompanies the final report from an investigation of the hacking that Gemalto has posted on its website.  The investigation was carried out in response to an article in The Intercept that had indicated (via documents leaked by Edward Snowden) that Gemalto’s encryption keys had been wholesale boosted by U.S. and British intelligence.

Gemalto’s statement defines the scope of the breach but does not outline any hard numbers, meaning it remains a somewhat open question as to how many encryption keys were stolen. On the upside,  Gemalto also reconfirmed that none of its other products were affected in the attack.

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another, and they are not connected to external networks.”

Gemalto also had some questions about the allegations of theft in some of the specific details – noting that elements of the report indicate that the Dutch SIM card maker might not have been a correctly identified target.  For example, the report notes that Gemalto hasn’t ever sold SIM cards to four of the twelve operators listed in the Intercept report.

So why steal access to 2G networks?

2G networks accounted for the vast majority of connections in China and India in 2010 and 2011, though only 25 percent of the U.S. and 50 percent of Western Europe.

“In 2010-2011 most operators in the targeted countries were still using 2G networks. The security level of this second generation technology was initially developed in the 1980s and was already considered weak and outdated by 2010. If the 2G SIM card encryption keys were to be intercepted by the intelligence services, it would be technically possible for them to spy on communications when the SIM card was in use in a mobile phone. This is a known weakness of the old 2G technology and for many years we have recommended that operators deploy extra security mechanisms. However, even if the encryption keys were intercepted by the Intelligence services they would have been of limited use. This is because most 2G SIMs in service at that time in these countries were prepaid cards which have a very short life cycle, typically between 3 and 6 months.”