SoylentNews is people
SoylentNews
In a press release late Tuesday night ( http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx ), Gemalto, one of the world’s largest SIM manufacturers, denied recent allegations that the company had a vast number of sensitive SIM encryption keys stolen by the National Security Agency (NSA) and Britain’s General Communications Headquarters (GCHQ).
The company's statement addressed a number of confidential documents from 2010 which were leaked by former NSA contractor Edward Snowden and published last week by The Intercept. The documents indicated that a task force organized by the NSA and GCHQ broke into Gemalto employee e-mails and found ways to steal the encryption keys corresponding to the SIMs that Gemalto manufactured and sent to mobile carriers. Such a hack would allow state-sponsored spies to decrypt traffic coming to a fake cell tower and thereby watch voice, data, and text messages without a wiretap.
But Gemalto says that after a “thorough investigation,” it concluded that although the company did experience hacks in 2010, it suffered none that could have resulted in the loss of the vast number of SIM encryption keys that The Intercept article referenced. And, the company continued, if some keys had been stolen, then technology pertaining to the 3G and 4G networks that Gemalto builds SIMs for would have prevented substantial hacking. The company believed 2G networks were the only ones that would have truly suffered under such a hack.
(Score: 3, Insightful) by MrGuy on Thursday February 26 2015, @08:37PM
Gemalto has no direct reason to cooperate with GCHQ or NSA. They're neither a US nor UK entity. So it's unlikely the NSA or GCHQ would have sufficient leverage to persuade them to lie about this (especially after being exposed so publicly).
If they did an investigation that found they WERE compromised, would they say so or lie about it? I'd argue they still have a really strong reason to lie about this. Because the alternative would likely be bankruptcy.
Their customers (i.e. the telecoms) would likely demand a recall (because their customers would demand it of them). I don't see most people being OK with having knowingly compromised phones. The telecoms wouldn't offer to pay to fix a problem caused by Gemalto's lax security. This would likely lead to one of two untenable situations. Gemalto almost certainly couldn't afford to replace every compromised chip for free. They also couldn't afford to lose all their customers switch to competitors for all their future chips ("Switch to T-Mobile! Our chips aren't compromised!). It's not obvious to me how one of those two things doesn't happen. And either one seems to end in bankruptcy.
What Gemalto said was the only thing they could have said, regardless of what their internal investigation discovered. If they denied any breech, people wouldn't believe them, and would assume they were in on it with the NSA and friends, and their customers start walking away. If they admitted to what Snowden revealed, they're going bankrupt. The only option that gives them a fighting chance is to admit a breech but claim they weren't breeched in a way that would make a recall necessary.