Despite leaked documents from the NSA showing otherwise, officials at Gemalto on Wednesday said the company has found no evidence that its SIM card infrastructure was compromised several years ago by the NSA and GCHQ. The company identified a handful of what it called sophisticated attacks in the timeframe in questions, but said none of them affected its secure networks.
Gemalto’s statements come after nearly a week of questions surrounding a reported attack on the company by a joint team of NSA and GCHQ officers. The goal of the operation apparently was to steal the encryption keys for millions of SIM cards for mobile devices, a move that would give those agencies access to the encrypted voice and data communications going to and from those devices. The report is based on a document stolen from NSA by Edward Snowden that says in part,”Gemalto–successfully implanted several machines and believe we have their entire network…”
However, Gemalto officials said that, after investigating incidents on its network during the timeframe in question, 2010 and 2011, they did not find any incident that compromised the network that houses its SIM card infrastructure and other sensitive data.
“No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks,” the company said in a statement.
The Gemalto saga is the latest to emerge from the stolen Snowden documents, and in some ways it’s one of the more concerning. Gemalto is a company with headquarters in Germany and the Netherlands, countries that are both allies of the United States and UK. An operation spearheaded by those countries’ signals intelligence agencies to compromise a major technology provider in an allied country is audacious and shows the lengths to which those agencies will go to acquire their targets.
Gemalto officials said that there are some specific incidents that the company’s security team identified as potentially being associated with NSA and GCHQ, including a spear-phishing campaign.
“In July 2010, a second incident was identified by our Security Team. This involved fake emails sent to one of our mobile operator customers spoofing legitimate Gemalto email addresses. The fake emails contained an attachment that could download malicious code. We immediately informed the customer and also notified the relevant authorities both of the incident itself and the type of malware used.During the same period, we also detected several attempts to access the PCs of Gemalto employees who had regular contact with customers,” the statement said.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks – our office networks – which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks. It is important to understand that our network architecture is designed like a cross between an onion and an orange; it has multiple layers and segments which help to cluster and isolate data.”
One key reason that an intelligence agency might want access to a large database of SIM card encryption keys is that trying to attack the encryption capabilities on individual devices doesn’t scale very well. This is why the NSA has been working to attack encryption algorithms. Gemalto officials called out the intelligence agencies, and said that while they are confident in the security of their networks, defending against attackers with the resources of the NSA or GCHQ is a challenge.
“Nevertheless, we are conscious that the most eminent state agencies, especially when they work together, have resources and legal support that go far beyond that of typical hackers and criminal organizations. And, we are concerned that they could be involved in such indiscriminate operations against private companies with no grounds for suspicion,” the statement says.