14 DAY TRIAL // SIM maker Gemalto found evidence of sophisticated intrusions on its systems that could have been carried out by British and American intelligence agencies GCHQ and NSA, but did not discover traces that encryption keys for the SIM cards were stolen.
Gemalto is a digital security company that produces chips for mobile phone SIM cards used by the more than 450 carriers in the world.
NSA, GCHQ target Gemalto's crypto keys
The chips are encrypted with a unique authentication key called “Ki” and store information that authenticates and identifies the subscriber on the network. They are also responsible for encrypting the communication passing through the carrier’s infrastructure. Someone stealing them would have the same access to the conversations as the mobile carriers themselves.
On February 19, documents from the Edward Snowden archive were published by The Intercept, detailing a joint operation between GCHQ and NSA that had successfully exfiltrated the encryption keys for Gemalto SIM cards.
A slide from a secret GCHQ document dating back to 2010 informs that the agency managed to plant malware on multiple machines at Gemalto and it was believed that its entire network had been compromised.
Gemalto systems storing SIM encryption keys remained untouched
On Wednesday, Gemalto released the findings of its investigation of attacks targeting its infrastructure between 2010 and 2011, when the spy agencies initiated their hacking efforts.
The company detected “two particularly sophisticated intrusions which could be related to the operation,” but none of them got past the office networks, which are segregated from the systems storing the encryption keys.
One incident was detected in June 2010, when an unidentified third party attempted to spy on the network used by Gemalto employees to communicate with each other and the outside world.
A second one occurred as a result of a phishing attack the next month. The messages contained malware in an attachment and were directed to a mobile operator customer; legitimate Gemalto email addresses were spoofed for credibility.
“At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation. These intrusions only affected the outer parts of our networks - our office networks - which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks,” the statement from Gemalto says.
The infrastructure Gemalto relies on consists of multiple networks for specific purposes, each being isolated from the others and the Internet-facing network. The company says that it found no signs of breaches in the infrastructure running SIM activity.
The chip maker believes that remotely compromising the machines storing the SIM encryption keys would be extremely difficult to orchestrate.
Risk of data intercepted in transit existed, but not in all cases
However, a secret file from the spy agencies also informs that other parties were targeted (mobile operators) and talks about a successful method to snatch the keys while in transit between the mobile network operator and the SIM supplier, a variant Gemalto believes the intelligence services used instead.
The chip maker says that the risk of data interception was greatly reduced by the secure exchange mechanism the company had implemented before 2010, but not all operators adopted it and their data would have been vulnerable to interception.
Moreover, Gemalto says that in the time frame of the incidents most operators were still using 2G networks, a technology known at the time to be outdated and vulnerable, but the SIMs were mostly for pre-paid cards, which generally have a short lifespan (three to six months).
Interception of the encryption key for the more secure 3G and 4G SIMs would have been useless to the agencies, Gemalto informs, because the technology benefits from additional layers of encryption and connection to the network is not possible with the Ki alone.
“However, through backward compatible with 2G, these newer products are not used everywhere around the world as they are a bit more expensive and sometimes operators base their purchasing decision on price alone,” the report from Gemalto says.