The world’s largest SIM card maker said it has “reasonable grounds” to believe that its networks were hacked by the National Security Agency and the U.K.’s Government Communications Headquarters in 2010 and 2011. However, Gemalto does not think that SIM card encryption keys were compromised.
The French company shared the findings of the investigation it launched after Edward Snowden alleged that the two government agencies had hacked Gemalto’s networks. Gemalto said the attacks breached its office networks, but could not have resulted in massive theft of SIM card keys. Furthermore, if encryption keys were stolen, they would only enable the government agents to intercept communications on 2G networks.
If the U.S. and U.K. agencies did try to compromise Gemalto’s network, they were not alone. The company said its networks are a constant target and that it experienced many attempted hacks during 2010 and 2011. But as it looks back at the data, Gemalto said it finds “two particularly sophisticated attacks [that]could be related to the operations.”
Gemalto said it noticed suspicious activities in the summer of 2010. In one instance, someone was trying to spy on the company’s internal communications network. In another, employees at one of Gemalto’s mobile operator customers were receiving fake e-mails that purported to be from legitimate Gemalto e-mail addresses. The fake e-mails contained contaminated attachments. Gemalto said it immediately notified the mobile operator when the incident was discovered that summer. Now the company thinks both attacks may have been instigated by government agents.
Gemalto outlined three ways that it can defend against future attacks: systematic encryption of data; use of up-to-date SIM cards; and customized algorithms for each mobile operator. The company said that by 2010 it had already implemented a secure transfer system with its customers, making the actual theft of SIM card encryption keys very unlikely.