In a press release late Tuesday night ( http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx ), Gemalto, one of the world’s largest SIM manufacturers, denied recent allegations that the company had a vast number of sensitive SIM encryption keys stolen by the National Security Agency (NSA) and Britain’s General Communications Headquarters (GCHQ).
The company's statement addressed a number of confidential documents from 2010 which were leaked by former NSA contractor Edward Snowden and published last week by The Intercept. The documents indicated that a task force organized by the NSA and GCHQ broke into Gemalto employee e-mails and found ways to steal the encryption keys corresponding to the SIMs that Gemalto manufactured and sent to mobile carriers. Such a hack would allow state-sponsored spies to decrypt traffic coming to a fake cell tower and thereby watch voice, data, and text messages without a wiretap.
But Gemalto says that after a “thorough investigation,” it concluded that although the company did experience hacks in 2010, it suffered none that could have resulted in the loss of the vast number of SIM encryption keys that The Intercept article referenced. And, the company continued, if some keys had been stolen, then technology pertaining to the 3G and 4G networks that Gemalto builds SIMs for would have prevented substantial hacking. The company believed 2G networks were the only ones that would have truly suffered under such a hack.
(Score: 4, Interesting) by janrinok on Thursday February 26 2015, @01:48PM
The document that Snowden released was authentic, or at least appeared so with the correct privacy markings and codewords displayed. For the hack to be included in a formal presentation by GCHQ and the exploitation of the data collected actually being referred to suggests that the attack did take place. If Gemalto have found some signs of an attack but nothing so serious to justify the references to it in the presentation, perhaps that is because the real attack hasn't yet been identified. It could be that the level of sophistication is rather more than a simple internet attack but something far more technical, and that it is still taking place today.
(Score: 0) by Anonymous Coward on Thursday February 26 2015, @02:07PM
Unless someone is pushing bad information through Snowden...
(Score: 3, Interesting) by Anonymous Coward on Thursday February 26 2015, @02:19PM
(Score: 2) by janrinok on Thursday February 26 2015, @02:40PM
(Score: 4, Insightful) by Ox0000 on Thursday February 26 2015, @03:00PM
In all fairness, it does appear that the second option is the most plausible one: "let's lie"
(Score: 0) by Anonymous Coward on Thursday February 26 2015, @05:53PM
Gemalto admitted to being hacked just not to the extent.
It's in their best interest to say that, yes we were hacked, we investigated, and found nothing was compromised so we are not culpable for not reporting it.
(Score: 5, Interesting) by Gravis on Thursday February 26 2015, @05:05PM
it doesnt matter what Gemalto reports because the truth is simple, the NSA and GCHQ got what they wanted, the ability to spy on all cell phones with their SIM cards. it's simple logic: would the NSA/GCHQ hack in, fail and then give up forever? no of course not, that is silly. they either got what the keys they wanted from hacking Gemalto directly or they got access indirectly like at the manufacturing plant. if Gemalto found out they got hacked and the keys are in the hands of the NSA/GCHQ would they admit to it and commit business suicide? no, they would lie about it because business is about money, not the truth.
(Score: 3, Insightful) by MrGuy on Thursday February 26 2015, @08:37PM
Gemalto has no direct reason to cooperate with GCHQ or NSA. They're neither a US nor UK entity. So it's unlikely the NSA or GCHQ would have sufficient leverage to persuade them to lie about this (especially after being exposed so publicly).
If they did an investigation that found they WERE compromised, would they say so or lie about it? I'd argue they still have a really strong reason to lie about this. Because the alternative would likely be bankruptcy.
Their customers (i.e. the telecoms) would likely demand a recall (because their customers would demand it of them). I don't see most people being OK with having knowingly compromised phones. The telecoms wouldn't offer to pay to fix a problem caused by Gemalto's lax security. This would likely lead to one of two untenable situations. Gemalto almost certainly couldn't afford to replace every compromised chip for free. They also couldn't afford to lose all their customers switch to competitors for all their future chips ("Switch to T-Mobile! Our chips aren't compromised!). It's not obvious to me how one of those two things doesn't happen. And either one seems to end in bankruptcy.
What Gemalto said was the only thing they could have said, regardless of what their internal investigation discovered. If they denied any breech, people wouldn't believe them, and would assume they were in on it with the NSA and friends, and their customers start walking away. If they admitted to what Snowden revealed, they're going bankrupt. The only option that gives them a fighting chance is to admit a breech but claim they weren't breeched in a way that would make a recall necessary.
(Score: 0) by Anonymous Coward on Thursday February 26 2015, @08:40PM
Gemalto Doesn't Know What It Doesn't Know [firstlook.org]
(Score: 0) by Anonymous Coward on Friday February 27 2015, @08:06AM
The claims that my code contains bugs are greatly exaggerated. I've spent five minutes scrolling through all 10 million lines, and not found a single bug.
If a bank claims that there is no signs of a break in, does the perpetrator get to keep the money?